This weekend I decided to study more about hashing and thought of creating my own hashing function, which would obviously, hash. Hashing is different from encryption, with encryption you can decrypt the message into the original form, but hashing should be one way, i.e no matter what the output is, it should be irreversible, which makes the problem even harder. I ended up creating my own hashing algorithm, which I was able to crack myself in around 20 minutes or so. I further studied about how dangerous it can be to roll your own hash (yes roll your hash) if you are not a cryptographic expert so I decided to give up on creating my own hashing algorithm, however I did dig deep on how hashing is used to store passwords.

Well, of course, good hashing algorithms exist which are one way (SHA-512, SHA-256, and MD5) however they are crackable. By crackable I mean, although the hash itself is irreversible the hackers calculate the hash of tons(^tons) of common words, and compare it with the existing hash. The process is repeated for every possible word, until they match some passwords. That is exactly why when we choose a password, we are asked to choose a long (7+ digits) with special characters, since the more complicated the password is, the more time it will take to brute force it. Ofcourse, even after all these complications, hackers are still able to crack the passwords. There are many different attacks which the hackers use to crack them such as : Rainbow Table, Dictionary, Brute Force attacks which poses a great security threat to the users.

While creating my node app, I found out that it was difficult for me to choose a hashing algorithm which is secure for storing my passwords, and understanding about cryptography took a lot of time. I believe that it should not be necessary for someone to be a cryptographic expert to hash their passwords securely, hence I created a library : Secura which one can use to hash the passwords securely and compare the asynchronous way. This module returns a promise with the hashed password and also compares it.

Below I have described the usage :

Usage

Install the module :

npm install secura

Usage is very simple and straightforward. You can import the module using :

const secura = require('secura');

Generate Password

This converts the user password to a secure hash.

secura.generatePassword(password)
      .then(hash=>{
          //store the hash in the database
      });

Verify Password

This verifies if the password entered by the user matches the hashed password stored in the database.

secura.validatePassword(password, hash)
      .then(isMatch=>{
          //returns true if password matches and false otherwise
      })

Features

  • Simple and straightforward to use. No knowledge of cryptography required to hash passwords and compare.
  • Every hashed password is 61 digits long.
  • Protection from Brute Force & Dictionary Attacks.
  • Protection from Rainbow Table Attacks.
  • Randomly generated salt for every password.
  • Extra field is not required for storing salt in the database.
  • Uses PBKDF2 to compute hash.

You can contribute to this library by sending a pull request or opening an issue at : repo link

Thanks for reading. Hoping you will find this library useful.