'How to properly encrypt passwords in nodejs

I'm trying to encrypt passwords in nodejs for a website using express.

Here is the function I use to encrypt the passwords:

const crypto = require('crypto');

// the problem
const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);

encrypt(str) {
    const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
    let encrypted = cipher.update(str, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    console.log(encrypted);
    return encrypted;
}

The problem with this code is that if I were to restart this the key would be different and I would be getting different strings for the same password that's saved in the database. This wouldn't work out because I won't be able to test the password with the hash when a user submits when trying to log in.

How can I make it so that I will always receive the same encrypted string and is there a more secure way to do everything, maybe even other libraries that would do the job better?

node.jsexpressencryptionpassword-encryption


Solution 1:[1]

Normally with nodejs bcryptjs is more suggested module for password encryption and decryption.

Follow below link to take an example of BcryptJs

BcryptJs concept examples

Solution 2:[2]

we can use crypto a native nodejs module, checkout the below sample code

const crypto = require('crypto');
const salt = crypto.randomBytes(16).toString('hex');
const hash = crypto.pbkdf2Sync("<password>", salt, 
    1000, 64, `sha512`).toString(`hex`)

Further sample code: https://www.geeksforgeeks.org/node-js-password-hashing-crypto-module/

Note: all cryptic operations are CPU heavy try using the async function whenever possible.

Solution 3:[3]

Use Crypto-Js npm library.

const CryptoJS = require("crypto-js");

const doc = await Users.create({
        password: CryptoJS.AES.encrypt(
          req.body.password,
          process.env.PASS_SEC
        ).toString(),
      });

For comparing the password use below code.

const hashedPassword = CryptoJS.AES.decrypt(
        user.password,
        process.env.PASS_SEC
    );

const originalPassword = hashedPassword.toString(CryptoJS.enc.Utf8);
if (user.password == originalPassword)
return user;

Reference: https://www.npmjs.com/package/crypto-js

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Mihir Shah
Solution 2 Muhamed Salih
Solution 3 sai krishna

Related Questions

How to make html file encrypted?

Difference result by using sign and verify for signature

Invalid argument(s): Input buffer too short AND Invalid or corrupted pad block

Extract metadata info and Validate digital signature from PDF file using Python

How to convert hexadecimal string to an array of UInt8 bytes in Swift?

file is encrypted or is not a database: , while compiling: select count(*) from sqlite_master;

Getting Started with crypto++ decryption with AES

Create compatible Java "RSA" signature using a PKCS#8 encoded private key

Is there any difference, if I init AES cipher, with and without IvParameterSpec

Flutter - How to decrypt a RSA private key encrypted string if we have RSA public key with us?

Asp.net core, "asn1 encoding routines:asn1_d2i_read_bio:not enough data" error for certificate

How to securely store a user password in java for reuse throughout application

How to store password field in oracle 11g database in encrypted form?

How to store password field in oracle 11g database in encrypted form?

CryptoJS - Decrypt an encrypted file