Keeping User Passwords Secure with Node.js


It might come as a shock (or not) that, on average, about 30% of websites on the internet today still utilize the archaic practice of storing the passwords for user accounts to web application databases in plain text.

Surely web developers could do something about this. Unfortunately, the practice of storing passwords in plaintext is how most compromised usernames and passwords end up on the dark web for sale after a data breach.

Web developers need not look too far for solutions when development tools like can automatically generate role-based authorization models for their applications. It also allows them to create as many roles as necessary and set permissions granularly per data model or individual fields for various roles.

keeping user passwords secure with nodejs

Also ReadHow To Run CHKDSK on Windows 10

Node.js has become an exciting runtime environment for web and application development and has proven to be a severe contender in the market.

Several options for password obfuscation exist, and we will look at and compare two methods in this article: password encryption and password hashing.

Password Encryption

Like other forms of encryption, password encryption relies on using an encryption key to transform the user’s password into cipher text. It is referred to as a two-way function. This cipher text is then stored in the application’s database.

When the user logs into the application, the stored password is decrypted and compared to the incoming user password. The security of this method relies on the assumption that the malicious actor does not have the key to decrypt the password stored in the database.

The shortfall of this method is that it only remains effective while the key is unknown. When threat actors gain access to the application database during a data breach, the chance exists that they also have access to the secure sections of the infrastructure where the decryption key is stored—rendering the security effort null and void. This scenario will also play out when privileged users access the data for nefarious purposes.

Also Read10 Best 2-in-1 Laptops for Programming

Password Hashing

The Node.js bcrypt package utilizes a complex algorithm to generate a fingerprint of the user’s password. This method is called hashing and is referred to as a one-way function.

Essentially, when looking at the database, the password stored on the database does not resemble the original password in any way.

Since the password was not encrypted using a standard encryption key, reverting the hashed password to its original form would be impossible.

Unfortunately, this does not protect against dictionary attacks when users use weak passwords for their accounts.

Running two identical passwords through a hashing algorithm, like MD5, will always result in identical hashes.

Due to this, threat actors create rainbow tables and dictionaries of hashed passwords that have been popular (or leaked). An attacker can exploit rainbow tables to find the cryptographic hash function of the password.

An attacker’s PC could compute all of these hashes in real-time but using a huge table of hash values in advance allows the attack to proceed more quickly. A rainbow table can also be generated programmatically in bulk in a short time by threat actors.

Also ReadHow to Crop Google Sheets

Adding Salt and Cost Factor

The Node.js bcrypt package resolves this issue by adding two additional factors to creating a password hash. The first is called: Salt. Salt is a 22-character string randomly generated for each user account upon creation.

This salt is then appended to the cleartext password before passing through the hashing algorithm. The other factor that is added to this process is the cost factor. This cost factor aims to deliberately add complication to the production of the resulting password hash, which will require more processing resources to generate.

The cost factor determines how long it takes to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are performed. This has an indirect impact on anyone who is trying to crack the password hash.

Increasing the cost factor by one will cost a decrypting entity twice the time in processor seconds. The more time required, the more difficult brute-forcing becomes. The idea is essentially to slow the threat actor down so much that he will no longer be interested in retrieving the correct password hash.

Also Read10 Best Free Business Intelligence Platforms to Know About

In Conclusion

Utilizing the Node.js cryptographic modules for their intended purposes can sufficiently fortify user passwords for online applications. Developers need to understand when to use encryption and when hashing is the best option.

Although concurrently applying all the methods discussed in this article will provide improved password security, users should not be lulled into the impression that a weak password would suffice. Strong passwords are always the first line of defense.

When it comes to cyber security, organizations must understand an important rule: “You will never be completely safe from attacks.” With this in mind, application development specialists gravitate toward powerful environments such as Node.js, building applications with security in mind.