Best approach
blazerguns opened this issue · 6 comments
Hi Chris,
I loved the examples you put up. I appreciate it. I however fail to understand how to use any of this in my application. My Node.Js app does queries to mysql database. The query needs username password to query the db. As of now, I have the db username password stored as clear text in my index.js script. However, I cannot pass this on to anyone else, cause they can see the credentials. If i used any of the functions you described, it looks like I can encrypt my username and password, but then to decrypt it I still to pass on "password = 'd6F3Efeq';" to decrypt it. Since this nodejs app, the javascript is open and anyone who can access "password = 'd6F3Efeq';" can decrypt those credentials right? How can we prevent that?
I cant really use hash as it is one way encryption and thats quite useless in my case. Can you suggest if I misunderstood your post?
Regards,
Chandy
Hey Chandy, for your use case (store passwords), I would recommend create a user table in mysql and store username and passwords within the database. Since passwords should not be stored in plain text, I would propose to use SHA Hashs like I demonstrated in https://github.com/chris-rock/node-crypto-examples/blob/master/sha-text.js. Then you store username, hashed password and salt per user. Once the user tries to login in, you read the user from the database, generate a new hash from the entered password with the stored salt. Finally you compare the two hashs.
I hope this answers your question.
Chris
Thanks that helps. Some of the credentials (user name & password) I am storing are for sql db, postgres dbs and many others from which my node will connect to them and collect the needed information. This is not the place where I can store user credentials.
Basically, the node server runs as backend where it receives web request via (REST API) and then node internally, contacts the dbs, collects the results, formats in JSON format and responds back to browser.
The problem with hash is that it is one way encryption, that means, if a user passes a password then I can compare with hash to see if its correct password. This will not work as I need to send clear text password to authenticate with various databases in the backend. That is why I felt like using Symmetric alogs which allow me to store the password encrypted, but decrypts it before sending to the database for authentication. In other words, encryption on rest. Some db's support hash password, so I can save the password as hash and send for authentication as hash. This helps if all dbs in our infra supports it. Unfortunately that may not be the case. My fear is hacker getting into this box where my node runs and gets access to all db passwords and access the database directly.
I still cant seem to wrap my head around a really good solution when using javascipt. Should my node application been in C++ or C, perhaps I would have kept the key in the binary itself. This is not fail proof, but atleast its takes a bit of reverse engineering to be able to the key out. With javascipt, its a cake walk. :-(
You need to use different solutions for different types of credentials:
- eg. Environment Variables / or config file for DB Access
- User/Password in DB
- Token-based Authentication for intersystem communication
I do not think, your challenges can be solved via a ticket. I recommend to work with nodejs consultants like http://vulcanosec.com/nodejs.html
Thanks a lot for your help. I think I got a brief idea, will play around bit more.
Also have a look at https://github.com/chris-rock/password-hasher I just released it yesterday.