bcrypt Node.js模块的安全性差异 [英] Security Differences with bcrypt Node.js Modules

问题描述

我的一个项目是使用 bcrypt 模块来哈希秘密.少数人抱怨它由于 dependencies 而难以安装.之前，我曾尝试将其安装在Windows Server上，而不是在公园散步.

人们要求我使用纯Javascript替代品，例如 dcodeIO/bcrypt.js 和 shaneGirish/bcrypt-nodejs .但是我真的不知道使用它们的安全性.它们可靠吗?

解决方案

如果这些实现是正确的，则应使用最快的 bcrypt ，这很可能意味着非JS实现.

您应该假设攻击者拥有最快的实现方式，并且希望通过合理地增加计算成本来减慢攻击者的速度.

One of my projects is using the bcrypt module for hashing secrets. A handful of people complain that it's hard to install because of it's dependencies. I've tried to install it on a Windows Server before, it's not a walk in the park.

People are asking me to use pure Javascript drop-in replacements such as dcodeIO/bcrypt.js and shaneGirish/bcrypt-nodejs. But I really don't know the security implications of using them. Are they just as reliable?

解决方案

Provided that these implementations are correct, you should use the fastest bcrypt available, which most likely means non-JS implementation.

You should assume that an attacker has the most quickest implementation available, and you want to slow the attacker down by increasing the cost of computation as much as you reasonably can.

这篇关于bcrypt Node.js模块的安全性差异的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！