Unlocking Secure Password Storage with Salt Hashing
What is Hashing?
Hashing is a crucial concept in cryptography that involves mapping data of any size to a fixed-length string using an algorithm. This one-way function is primarily used for authentication purposes. In this tutorial, we’ll explore how to build a password hasher to securely store user credentials in a database using a technique called salt hashing.
The Power of Salt Hashing
Salt hashing is a method that adds an extra layer of security to password storage. It involves combining a user-entered password with a random string of characters (salt) and then hashing the combined string using a suitable crypto hashing algorithm. The resulting hash is stored in the database, ensuring that plaintext passwords are never stored.
Getting Started
To follow along with this tutorial, you’ll need:
- A basic understanding of Node.js
- A code editor, such as VS Code, installed
- POSTMAN installed
- MongoDB set up
Crafting the Hashing Functions
We’ll create three functions to perform the following tasks:
- Generate a random salt
- Hash the data
- Compare the hashes
Setting Up the Node.js Application
Create a package.json file to document dependencies and an index.js file, which will serve as the root of our application. We’ll require the Node.js crypto module and create a simple function to log the functions on the console.
Generating the Salt
Our first function will generate a random salt. This function takes in a number as a parameter to define the length of the salt. We’ll add a simple validator to ensure the number is greater than 15.
Hashing the Data
Next, we’ll define our hashing algorithm using the crypto.createHmac() method. We’ll use the sha512 algorithm and pass in our salt as the key.
Comparing the Hashes
Our compare password function will use the same algorithm to hash the inputted password and then test whether the new hash matches the stored hash. We’ll write some validation to check whether the password or hash is provided and whether the type of password is a string and type of hash is an object.
Putting it All Together
Now that we have our hashing functions, let’s create a test.js file to test our hasher module. We’ll set up a simple express server, connect to MongoDB, and create the necessary routes.
Registering and Logging In Users
We’ll define our User model using Mongoose and create register and login routes to test the hasher. We’ll store our hashed password and salt in the database.
Testing the Password Hasher
Open POSTMAN and make a post request to /register following the defined schema. Then, implement the login route and test it using POSTMAN. Our password hasher is working perfectly!
Final Thoughts
While this guide demonstrates how salting works in Node.js crypto, it’s essential to note that this implementation has some flaws and shouldn’t be used in production. Better tools, such as Bcrypt, are more suitable for production applications. The source code is available on GitHub.