1

I'm trying to encrypt passwords in nodejs for a website using express.

Here is the function I use to encrypt the passwords:

const crypto = require('crypto');

// the problem
const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);

encrypt(str) {
    const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
    let encrypted = cipher.update(str, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    console.log(encrypted);
    return encrypted;
}

The problem with this code is that if I were to restart this the key would be different and I would be getting different strings for the same password that's saved in the database. This wouldn't work out because I won't be able to test the password with the hash when a user submits when trying to log in.

How can I make it so that I will always receive the same encrypted string and is there a more secure way to do everything, maybe even other libraries that would do the job better?

Improve this question
2
  • 1
    I just ended up using bcryptjs for this. Works perfectly! Commented Apr 14, 2022 at 8:34
  • You dont "encrypt" passwords. You hash them. Commented Apr 14, 2022 at 13:21

3 Answers 3

Reset to default
2

Normally with nodejs bcryptjs is more suggested module for password encryption and decryption.

Follow below link to take an example of BcryptJs

BcryptJs concept examples

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Ended up using bcryptjs!
1

we can use crypto a native nodejs module, checkout the below sample code

const crypto = require('crypto');
const salt = crypto.randomBytes(16).toString('hex');
const hash = crypto.pbkdf2Sync("<password>", salt, 
    1000, 64, `sha512`).toString(`hex`)

Further sample code: https://www.geeksforgeeks.org/node-js-password-hashing-crypto-module/

Note: all cryptic operations are CPU heavy try using the async function whenever possible.

Improve this answer

2 Comments

when the program would restart the salt would be different and then you wouldn't be able to check it...
yes, I do agree, Still we can use a constant secret(config) instead of salt to hash the password. The idea is to avoid extra packages and utilize native modules.
-1

Use Crypto-Js npm library.

const CryptoJS = require("crypto-js");

const doc = await Users.create({
        password: CryptoJS.AES.encrypt(
          req.body.password,
          process.env.PASS_SEC
        ).toString(),
      });

For comparing the password use below code.

const hashedPassword = CryptoJS.AES.decrypt(
        user.password,
        process.env.PASS_SEC
    );

const originalPassword = hashedPassword.toString(CryptoJS.enc.Utf8);
if (user.password == originalPassword)
return user;

Reference: https://www.npmjs.com/package/crypto-js

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.