lujakob/nestjs-realworld-example-app

Using sha256 isn't secure for password hashing

mootrichard opened this issue · 1 comments

mootrichard commented

sha256 is just a message digest, so it really shouldn't be used as an example for password hashing.

You can use argon2 though, which is considered the best current password hashing algorithm.

nestjs-realworld-example-app/src/user/user.entity.ts

Line 30 in e471eed

this.password = crypto.createHmac('sha256', this.password).digest('hex'); 

const argon2 = require('argon2');
 
try {
  this.password = await argon2.hash("password");
} catch (err) {
  //...
}

https://www.npmjs.com/package/argon2

lujakob commented

Hey Richard, looks good to me. Thanks for the hint :)