Remove bcrypt dependency, use PBKDF2 - Githubissues

interledger-deprecated / five-bells-shared

Common elements that are shared between Five Bells components

Other

4 stars 5 forks source link

Remove bcrypt dependency, use PBKDF2 #136

Closed justmoon closed 8 years ago

justmoon commented 8 years ago

Bcrypt has some advantages over PBKDF2 [1], however, PBKDF2 is good enough and built into Node.js, removing a native dependency. PBKDF2 is the algorithm recommended by NIST [2] for password-based key derivation. (We're using it for password hashing which is a different, but related use case.)

This patch also adds some functionality, namely:

verifyPassword method (required for verifying passwords)
ability to customize the number of hashing iterations
automatically reduce number of iterations in testing (NODE_ENV=unit)

[1] http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage [2] http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf

emschwartz commented 8 years ago

LGTM

clark800 commented 8 years ago

LGTM