Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

Security Introduction to Data Security Solutions Storing Passwords

Juliette Tworsey
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,411 Points

Password protection in Node.js/Express

Hi,

I am currently working on an Express/Node.js/MongoDB application and I have a couple of questions after watching this tutorial:

I am currently using Passport for email authentication and Node's native Crypto for password token resets and expiration time outs. I only see Bcrypt listed (for storing passwords in Node) in the teacher's notes that follow this tutorial. Will the combo that I am currently using be sufficient or should I re-work to code by switching over to Bcrypt?

Also, Kenneth mentions that there are vulnerabilities in using MD5 for password storage, but is it safe to use in your application if it is used only for hashing emails (not for storing passwords) that are attached to incoming avatars that appear as a result of a user registering on my site/app?

Thanks in advance to anyone who can offer up some advice.

Great course!

1 Answer

Steven Parker
Steven Parker
215,954 Points

Sure, bcrypt is better, but how good do you need?

You might evaluate your risk level before deciding if you need better encryption. How likely is it for an malicious party to get your database? And what's the damage potential of a cracked password? Does your application maintain credit information or other purchase information that could be used for theft (and would be extremely attractive to hackers) or does it store computer game scores? The advice given in the course to use the latest techniques is certainly sound, but I would add that as far as keeping up with the latest it makes sense to evaluate risk against cost (including development effort).

And regarding your avatars, the vulnerabilities of MD5 have to do with hash collisions, which are still going to be extremely rare. And since you're not using it for access security the consequences should one happen are not terribly severe. You might show the wrong photo with a message?

Juliette Tworsey
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,411 Points

This is my first actual app deployment (using MLAB for my DB deployment and NOW for the app deployment) and there will be no financial transactions taking place, so there is no request for credit card information. In fact, the current project that I have been working on is more of an getting acquainted with the Node/Express/MongoDB deployment to production process more than anything else, so I doubt that anyone will even see this app (in its current incarnation), other than potential employers in the future. That's not to say that I won't be working on projects in the future that will require the latest and the best methods with regards to security. Say for example, if I was building an app for a record company that wanted a secure app for playing unreleased music to only authorized parties, etc....but now I'm getting off topic...lol..

I will keep what you said in mind. Thanks for your advice Steven!