DEV Community

kambala yashwanth
kambala yashwanth

Posted on

Best way to store password in DB

ReactJs,Mongodb

  1. how can I overcome MITM, Man In The Middle Attack while sending password

  2. If I am not allowed to store SHA256 hashed passwords,How should I implement without using any npm authentication packages

Top comments (11)

Collapse
 
rhymes profile image
rhymes
  1. use TLS and HSTS so that your connection will be encrypted. It doesn't make it impossible but it makes it a lot harder. You can also use non-SMS based 2FA to increase security.

  2. why aren't you allowed to store hashed passwords or use authentication libraries? You should never store passwords in clear. BTW don't use SHA256 if you can avoid it, there are better algorithms like Argon2 or the older PBKDF2

Collapse
 
yashwanth2804 profile image
kambala yashwanth

Have an assignment to build account-password system without npm auth package.Whats the best approach

Collapse
 
phlash profile image
Phil Ashby

Probably not directly helpful for what looks like a learning exercise in "things you shouldn't do unless you have to", but in the real world I would always look to delegate this part of an application to something sane like auth0.com, or AzureAD, or Facebook, Google, Twitter... much like your favourite dev website :)

More useful - all the stuff @rhymes said!

Collapse
 
rhymes profile image
rhymes

I'm not a node user so I'm going to be generic. Let's start with a "shopping list" of what you might need:

  • a database to store the accounts
  • a library to connect to such database
  • a user table in the database, the minimum is probably "username", "password"
  • a library to hash those password
  • a web framework and HTML/CSS to render the registration and login pages

The registration flow is:

  • input username, password and password confirmation
  • check the two passwords, if they are equal hash one and store it in the db with the username, if they are not equal tell the user
  • redirect the user to a "success" page

The login flow is:

  • input username and password
  • hash the password and check it's the same one you have stored
  • if it is, let the user in, if not, tell them
  • redirect the user to a "success" page

This is the bare, bare, minimum.

Keep in mind that since there are no sessions in this scenario, the user will have to input their accounts everytime they decide to access the "protected" page.

Thread Thread
 
yashwanth2804 profile image
kambala yashwanth

thank you very much for getting me started.

Collapse
 
davidszabo97 profile image
Dávid Szabó
  1. HTTPS
  2. Use bcrypt. It's not an authentication package... Please define what does authentication package mean.
Collapse
 
yashwanth2804 profile image
kambala yashwanth

like passport.js or other helper libraries,
thanks

Collapse
 
davidszabo97 profile image
Dávid Szabó

OK then please go on with bcrypt (npmjs.com/package/bcrypt). It's a standard for hashing passwords. (It's almost the same algorithm that's in PHP pssword_hash)

It's not rocket science, really. You don't need to understand how it works, though I guess you will need to speak up about how it works but you can find various sources about that. (codahale.com/how-to-safely-store-a...)

Thread Thread
 
yashwanth2804 profile image
kambala yashwanth

thanks CAP!!!

Collapse
 
kspeakman profile image
Kasey Speakman
Collapse
 
yashwanth2804 profile image
kambala yashwanth

thank you for the reference.