使用 Node.js 和 MongoDB 存储密码
我正在寻找一些如何使用 node.js 和 mongodb 安全存储密码和其他敏感数据的示例.
I'm looking for some examples of how to securely store passwords and other sensitive data using node.js and mongodb.
我希望所有内容都使用唯一的盐,我将在 mongo 文档中与哈希一起存储.
I want everything to use a unique salt that I will store along side the hash in the mongo document.
对于身份验证,我是否必须对输入进行加盐和加密并将其与存储的哈希匹配?
For authentication do I have to just salt and encrypt the input and match it to a stored hash?
我是否需要解密这些数据?如果需要,我应该怎么做?
Should I ever need to decrypt this data and if so how should I do it?
私钥,甚至加盐方法如何安全地存储在服务器上?
How are the private keys, or even salting methods securely stored on the server?
我听说 AES 和 Blowfish 都是不错的选择,我应该使用什么?
I've heard the AES and Blowfish are both good options, what should I use?
任何有关如何设计的示例都会非常有帮助!
谢谢!
推荐答案
使用这个:https://github.com/ncb000gt/node.bcrypt.js/
bcrypt 是少数几个专注于这个用例的算法之一.您永远无法解密您的密码,只能验证用户输入的明文密码是否与存储/加密的哈希值匹配.
bcrypt is one of just a few algorithms focused on this use case. You should never be able to decrypt your passwords, only verify that a user-entered cleartext password matches the stored/encrypted hash.
bcrypt 使用起来非常简单.这是我的 Mongoose 用户模式的一个片段(在 CoffeeScript 中).请务必使用异步函数,因为 bycrypt 很慢(故意).
bcrypt is very straightforward to use. Here is a snippet from my Mongoose User schema (in CoffeeScript). Be sure to use the async functions as bycrypt is slow (on purpose).
class User extends SharedUser
defaults: _.extend {domainId: null}, SharedUser::defaults
#Irrelevant bits trimmed...
password: (cleartext, confirm, callback) ->
errorInfo = new errors.InvalidData()
if cleartext != confirm
errorInfo.message = 'please type the same password twice'
errorInfo.errors.confirmPassword = 'must match the password'
return callback errorInfo
message = min4 cleartext
if message
errorInfo.message = message
errorInfo.errors.password = message
return callback errorInfo
self = this
bcrypt.gen_salt 10, (error, salt)->
if error
errorInfo = new errors.InternalError error.message
return callback errorInfo
bcrypt.encrypt cleartext, salt, (error, hash)->
if error
errorInfo = new errors.InternalError error.message
return callback errorInfo
self.attributes.bcryptedPassword = hash
return callback()
verifyPassword: (cleartext, callback) ->
bcrypt.compare cleartext, @attributes.bcryptedPassword, (error, result)->
if error
return callback(new errors.InternalError(error.message))
callback null, result
另外,请阅读 这篇文章,它应该让你相信 bcrypt 是一个很好的选择并帮助您避免变得真正有效".
Also, read this article, which should convince you that bcrypt is a good choice and help you avoid becoming "well and truly effed".
相关文章