On Thu, Nov 22, 2012 at 2:54 PM, cherry <[email protected]> wrote:
>
> i've registration form and i'm sending that data to mongodb through
> mongoskin driver and i want to encrypt those passwords at server side using
> md5. can u plz help me.
Disclaimer: I'm not a security professional, more a security-aware
developer / administrator, thus please take these pointers as simple
hints, and take a decision after careful analysis and thought.
First of all just MD5'ing (or any other hashing) of the password
doesn't make it secure, in case of a database breach. Other solutions
like `bcrypt`, `scrypt` do solve the issue of database breach, but
still don't solve other issues related with password handling.
As such if you are seriously concerned with your application's
security you'll have to take into account at least the following
issues:
* of course SSL is mandatory;
* login rate limiting;
* account locking;
* minimum password strength; (and the trade off between the
passwords security and it's usability;)
* password aging;
* many other things found in best practices guides;
Below are some articles on this topic that I've found very useful
(in order of importance for me, and relevance for this topic). (Of
course these are other hints and pointers, and you should make your
own judgment.)
http://www.lightbluetouchpaper.org/2010/07/27/passwords-in-the-wild-part-i-the-gap-between-theory-and-implementation/
http://www.lightbluetouchpaper.org/2010/07/29/web-password-standards-2/
https://www.schneier.com/essay-246.html
https://aceshardware.wordpress.com/2012/05/28/a-case-for-standardizing-password-security/
http://jeremiahgrossman.blogspot.ro/2009/10/all-about-website-password-policies.html
http://queue.acm.org/detail.cfm?id=2254400
http://throwingfire.com/storing-passwords-securely/
http://www.lightbluetouchpaper.org/2012/09/03/password-cracking-part-i-how-much-has-cracking-improved/
http://www.lightbluetouchpaper.org/2012/09/04/password-cracking-part-ii-when-does-password-cracking-matter/
All in all: if possible don't implement it your self, unless you
perfectly understand all the issues involved, and try to find a ready
made solution, or there is a high chance that you'll end up with a
warm and fuzzy but **false** security feeling, and a certainly
insecure system.
Ciprian.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
