Authentication in Node.js - #6 Password Security
The NPM ecosystem offers two popular implementations of the bcrypt hashing algorithm, bcrypt and bcryptjs. bcryptjs is written in pure JavaScript and has zero dependencies, whereas bcrypt is written in C++ and requires node-gyp, Python 2, and GCC compiler. bcrypt does offer some pre-compiled binaries, but in many instances, you'd need to build it manually for your particular architecture and OS. This does introduce an extra build step, but also increases performance by 30% compared to JavaScript-based bcryptjs. You will find detailed installation instructions in the Wiki https://github.com/kelektiv/node.bcry...
Both libraries impose a limit of 72 bytes on the incoming string. Despite some confusion, the maximum length is in fact 72 bytes, not 56 https://security.stackexchange.com/a/... Any subsequent symbols will be discarded, that is a passphrase that matches the first 72 characters but has trailing characters from 73 onward, would pass the comparison as a false positive. As such, it's important that you limit the password length as part of input validation. Alternatively, you could pre-hash the password to lift up the maximum length https://security.stackexchange.com/a/...
Keep in mind that although strings are internally represented in UTF-16 encoding in most JavaScript engines, Node.js Buffer API interprets strings in UTF-8 by default. A string may be of length below 72 and yet still weigh over 72 bytes. This is because certain symbols, such as accented characters and emojis, consist of several code units (known as a surrogate pair), and thus require more than one byte to represent. In @hapi/joi, you can validate byte length instead of character length by passing utf8 as the second argument to the max() method.
Beware that C/C++ based implementations of bcrypt also truncate the input string on a null byte. This is often the case when you pre-hash the password and forget to encode the binary output. As a rule of thumb, do NOT pass raw binary to bcrypt; always remember to run the digest through base64 or hex encoding https://blog.ircmaxell.com/2015/03/se...
As far as password validation is concerned, beyond the maximum length, you may also want to enforce upper/lower-case letters and digits. A common oversight when writing a regular expression for passwords is to match ASCII characters only. While suitable for Anglophone users, this rule won't work for international visitors that attempt to input accented characters as in French or German. Depending on your target demographic, you may want to employ Unicode property escapes instead (available as of ES2018) https://stackoverflow.com/a/48902765 Don't forget to enable Unicode support in your regex with the /u modifier (as of ES2015), and please verify Node.js support at https://node.green/
StackOverflow password regex https://stackoverflow.com/a/19605207
GitHub repo https://github.com/alex996/node-auth
Watch video Authentication in Node.js - #6 Password Security online without registration, duration hours minute second in high quality. This video was added by user Code Realm 03 January 2020, don't forget to share it with your friends and acquaintances, it has been viewed on our site 8,98 once and liked it 16 people.