Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.Start your free trial
Juliette TworseyFront End Web Development Techdegree Graduate 32,425 Points
Password protection in Node.js/Express
I am currently working on an Express/Node.js/MongoDB application and I have a couple of questions after watching this tutorial:
I am currently using Passport for email authentication and Node's native Crypto for password token resets and expiration time outs. I only see Bcrypt listed (for storing passwords in Node) in the teacher's notes that follow this tutorial. Will the combo that I am currently using be sufficient or should I re-work to code by switching over to Bcrypt?
Also, Kenneth mentions that there are vulnerabilities in using MD5 for password storage, but is it safe to use in your application if it is used only for hashing emails (not for storing passwords) that are attached to incoming avatars that appear as a result of a user registering on my site/app?
Thanks in advance to anyone who can offer up some advice.
Steven Parker227,140 Points
Sure, bcrypt is better, but how good do you need?
You might evaluate your risk level before deciding if you need better encryption. How likely is it for an malicious party to get your database? And what's the damage potential of a cracked password? Does your application maintain credit information or other purchase information that could be used for theft (and would be extremely attractive to hackers) or does it store computer game scores? The advice given in the course to use the latest techniques is certainly sound, but I would add that as far as keeping up with the latest it makes sense to evaluate risk against cost (including development effort).
And regarding your avatars, the vulnerabilities of MD5 have to do with hash collisions, which are still going to be extremely rare. And since you're not using it for access security the consequences should one happen are not terribly severe. You might show the wrong photo with a message?