我正在寻找一些如何使用node.js和mondodb安全地存储密码和其他敏感数据的示例。
I'm looking for some examples of how to securly store passwords and other sensitive data using node.js and mondodb.
我想让一切都使用独特的盐
I want everything to use a unique salt that I will store along side the hash in the mongo document.
对于验证,我只是盐和加密输入并将其匹配到一个存储的哈希?
For authentication would I just salt and encrypt the input and match it to a stored hash?
我应该需要解密此数据,如果是这样,我该怎么办?
Should I ever need to decrypt this data and if so how should I do it?
甚至是安全存储在服务器上的盐化方法?
How are the private keys, or even salting methods securely stored on the server?
我听说过AES和Blowfish都是好的选择,我应该使用什么?
I've heard the AES and Blowfish are both good options, what should I use?
如何设计此示例的任何示例都将非常有用!
谢谢!
推荐答案使用: https:// github。 com / ncb000gt / node.bcrypt.js /
bcrypt是关注此用例的几个算法之一。您应该永远无法解密密码,只验证用户输入的明文密码与存储/加密的哈希值匹配。
bcrypt is one of just a few algorithms focused on this use case. You should never be able to decrypt your passwords, only verify that a user-entered cleartext password matches the stored/encrypted hash.
bcrypt非常简单易用。这里是我的Mongoose用户模式(在CoffeeScript)的代码段。确保使用异步函数作为bycrypt是慢的(有意)。
bcrypt is very straightforward to use. Here is a snippet from my Mongoose User schema (in CoffeeScript). Be sure to use the async functions as bycrypt is slow (on purpose).
class User extends SharedUser defaults: _.extend {domainId: null}, SharedUser::defaults #Irrelevant bits trimmed... password: (cleartext, confirm, callback) -> errorInfo = new errors.InvalidData() if cleartext != confirm errorInfo.message = 'please type the same password twice' errorInfo.errors.confirmPassword = 'must match the password' return callback errorInfo message = min4 cleartext if message errorInfo.message = message errorInfo.errors.password = message return callback errorInfo self = this bcrypt.gen_salt 10, (error, salt)-> if error errorInfo = new errors.InternalError error.message return callback errorInfo bcrypt.encrypt cleartext, salt, (error, hash)-> if error errorInfo = new errors.InternalError error.message return callback errorInfo self.attributes.bcryptedPassword = hash return callback() verifyPassword: (cleartext, callback) -> bcryptpare cleartext, @attributes.bcryptedPassword, (error, result)-> if error return callback(new errors.InternalError(error.message)) callback null, result另外,请阅读这篇文章,这应该说服你bcrypt是一个好的选择,并帮助你避免变得好,真正的效果。
Also, read this article, which should convince you that bcrypt is a good choice and help you avoid becoming "well and truly effed".
更多推荐
使用Node.js和MongoDB存储密码
发布评论