easy-pbkdf2's People
easy-pbkdf2's Issues
Change default number of iterations to much higher
The default of 512 is laughably low. Consider using 64,000 iterations, with automatic doubling every 2 years since 2012.
Apparently 64,000 iterations was recommended by OWASP in 2012, with the recommendation that this value double every 2 years. I couldn't find the source for this though, and I'll need to benchmark a bit to ensure I don't cause sites to DOS themselves in a few years.
Add a `verify` helper function
Being that this is supposed make pbkdf2 "easy" I should probably add a verify
method.
key length?
is there a reason why:
var keySize = 256,
is hardcoded in the hash function? couldn't this be configurable like SALT_SIZE?
Implement crypto.timingSafeEqual instead of our custom implementation
maybe not an issue, but
http://www.reddit.com/r/cryptography/comments/1l9b6o/question_should_different_implementations_of/
i had some trouble using your library that boiled down to the salt encoding, and this thread might illuminate things a little for you. I think I followed all the examples I could find correctly, but maybe you want to make your documentation reflect this subtlety. I'd be happy to provide additional info if you need.
Also, when will the KEY_SIZE fix make it into your npm module?
Unable to instantiate easyPbkdf2 with options
Hello,
I'm unable to instantiate easyPbkdf2 with options. This is how I'm calling it:
var EasyPbkdf2 = require('easy-pbkdf2')();
// Configure easyPbkdf2
var options = {
'DEFAULT_HASH_ITERATIONS': 512, // default DEFAULT_HASH_ITERATIONS is 512
'SALT_SIZE': 32 // default SALT_SIZE is 32
};
var easyPbkdf2 = new EasyPbkdf2(options); <<<<< crashes here
console.log(easyPbkdf2.DEFAULT_HASH_ITERATIONS); // 256
console.log(easyPbkdf2.SALT_SIZE); // 16
I never get to see the console.logs because Node throws the following exception:
TypeError: object is not a function
If I call easyPbkdf2.secureHash() without options, it works great. Any ideas? Thanks!
Look into setting a maximum password length to prevent DOS attacks
DOS attacks via long passwords will probably be making their rounds (again). http://www.tomsguide.com/us/django-long-password-security,news-17557.html
I'm thinking about setting a default max-length of maybe 4096 bytes. This max-password length would be configurable.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.