WebsiteLogo

Authentication and Authorization

Implement user authentication and authorization in your Express.js application. Learn about techniques like password hashing, sessions, and JSON Web Tokens (JWT).

⬅ Previous Next ➡

Mastering Express.js: Build Scalable Web Applications - Secure Password Storage

Password Hashing: An Explanation

Password hashing is a fundamental security practice used to protect user passwords. Instead of storing passwords in plain text, which would be disastrous if a database were compromised, we store a one-way transformation of the password called a hash.

The core idea behind password hashing is that it is computationally infeasible to reverse the process – that is, to derive the original password from its hash. A good hashing algorithm should be:

  • One-way: Easy to compute the hash from the password, but very difficult (ideally, impossible) to compute the password from the hash.
  • Deterministic: The same password will always produce the same hash (with the same salt).
  • Collision-resistant: It should be extremely difficult to find two different passwords that produce the same hash.

Implementing Secure Password Storage with bcrypt or Argon2

Modern, strong hashing algorithms like bcrypt and Argon2 are highly recommended for secure password storage. These algorithms are designed to be slow and computationally intensive, which makes brute-force attacks much more difficult. They also incorporate salting automatically.

bcrypt

bcrypt is a widely used hashing algorithm that includes built-in salting. It's an adaptive hashing algorithm, meaning the computational cost can be increased to keep pace with advancing hardware. In Node.js, you can use the bcrypt or bcryptjs library.

Example (using bcryptjs in Express.js):

 const bcrypt = require('bcryptjs');

async function hashPassword(password) {
  const saltRounds = 10; // Cost factor - higher is more secure, but slower
  const hashedPassword = await bcrypt.hash(password, saltRounds);
  return hashedPassword;
}

async function comparePassword(password, hashedPassword) {
  const match = await bcrypt.compare(password, hashedPassword);
  return match; // Returns true if the password matches the hash
}

// Example Usage (in a registration route)
app.post('/register', async (req, res) => {
  const { username, password } = req.body;

  const hashedPassword = await hashPassword(password);

  // Store username and hashedPassword in your database
  // ... database logic ...

  res.status(201).send('User registered successfully!');
});

// Example Usage (in a login route)
app.post('/login', async (req, res) => {
  const { username, password } = req.body;

  // Retrieve user from the database based on username
  // ... database logic ...
  const user = /* result from database query */;

  if (!user) {
    return res.status(401).send('Invalid credentials');
  }

  const passwordMatch = await comparePassword(password, user.hashedPassword);

  if (passwordMatch) {
    // Generate a session token or JWT
    // ... session management logic ...

    res.status(200).send('Login successful!');
  } else {
    res.status(401).send('Invalid credentials');
  }
});

Argon2

Argon2 is a more recent key derivation function that is considered even more resistant to various attacks than bcrypt. It has different variants (Argon2d, Argon2i, Argon2id) optimized for different scenarios. Argon2id is generally the recommended choice.

Example (using argon2 in Express.js):

 const argon2 = require('argon2');

async function hashPassword(password) {
  try {
    const hash = await argon2.hash(password);
    return hash;
  } catch (err) {
    // Handle error (e.g., log it)
    console.error("Error hashing password:", err);
    throw err; // Re-throw to be caught by the route handler
  }
}

async function verifyPassword(password, hash) {
  try {
    if (await argon2.verify(hash, password)) {
      return true;
    } else {
      return false;
    }
  } catch (err) {
    // Handle error (e.g., log it)
    console.error("Error verifying password:", err);
    return false; // Or throw, depending on error handling strategy
  }
}


// Example Usage (in a registration route)
app.post('/register', async (req, res) => {
  const { username, password } = req.body;

  try {
    const hashedPassword = await hashPassword(password);

    // Store username and hashedPassword in your database
    // ... database logic ...

    res.status(201).send('User registered successfully!');
  } catch (error) {
    console.error("Registration error:", error);
    res.status(500).send('Registration failed.');
  }

});

// Example Usage (in a login route)
app.post('/login', async (req, res) => {
  const { username, password } = req.body;

  // Retrieve user from the database based on username
  // ... database logic ...
  const user = /* result from database query */;

  if (!user) {
    return res.status(401).send('Invalid credentials');
  }

  const passwordMatch = await verifyPassword(password, user.hashedPassword);

  if (passwordMatch) {
    // Generate a session token or JWT
    // ... session management logic ...

    res.status(200).send('Login successful!');
  } else {
    res.status(401).send('Invalid credentials');
  }
});

Salting

A salt is a random string of characters that is added to each password before it is hashed. This makes it more difficult for attackers to use precomputed tables of hashes (rainbow tables) to crack passwords. Both bcrypt and Argon2 automatically handle salting internally, so you typically don't need to implement it manually when using these algorithms.

Why Salting is Important: Even if a strong hashing algorithm is used, attackers might use rainbow tables containing precomputed hashes for common passwords. Adding a unique, random salt to each password before hashing ensures that even if the password itself is common, the resulting hash will be unique, rendering rainbow tables ineffective.

Proper Hashing Techniques to Prevent Password Breaches

  • Use strong hashing algorithms: Choose bcrypt or Argon2 over older, weaker algorithms like MD5 or SHA1.
  • Use sufficient work factor (cost factor): Increase the computational cost of the hashing algorithm (e.g., the saltRounds in bcrypt). A higher cost factor makes brute-force attacks more time-consuming and expensive. However, be mindful of the performance impact on your server.
  • Store salts alongside hashes: Bcrypt and Argon2 handle this automatically. If you were to use a simpler algorithm that required manual salting, it's crucial to store the salt along with the hashed password in the database. The salt is needed to verify the password during login.
  • Implement rate limiting: Limit the number of failed login attempts from a single IP address to prevent brute-force attacks.
  • Consider password policies: Enforce strong password requirements (minimum length, character types) to reduce the likelihood of weak passwords.
  • Regularly update your dependencies: Ensure that your hashing libraries and other security-related dependencies are up-to-date to patch any known vulnerabilities.
  • Protect your database: Implement strong access controls and encryption to prevent unauthorized access to your password database.

By following these best practices, you can significantly improve the security of your Express.js application and protect your users' passwords from breaches.

⬅ Previous Next ➡