This is partly a reason why I haven’t yet switched some projects to nodejs.
2 Likes
The fact that this doesn’t seem to bother a lot of people, bothers me 
Terrifying!
1 Like
I consider this a learning moment for myself. What is Argon2 and what is it used for?
Again, this is me learning. Not saying we shouldn’t have it.
1 Like
2 Likes
Certainly looks like the future of hashing. Is this just a Node.js thing or would it apply to PHP as well?
Well although the implementation seems pretty easy, it involves another installing another native node module.
This is all fine but if we do that per default - it will be installed always to all nodejs projects.
So we want to make installing new modules - dependent on the used server connect actions first.
So they get installed on demand and not always as currently is the case.
So we will implement that first as improvements - and then we can start rolling out all kind of modules 
2 Likes
That sounds nice indeed. I always check my package.json anyway.
Just bare with me and my monthly bumps because I truly believe that this is an important one and people and their apps will benefit from it even if they have no clue what we are talking about.
Once that happens I think it would be good to separate hashing formatters and security components. All of them being grouped under crypto can cause confusion for people that don’t know the difference in security.
I would separate current hashing formatters in a “hash” category and “password hashing” in a “password or security” category. Cryptographic induces people to believe it’s a synonym of “security”.
4 Likes
I couldn’t wait as I am going live soon and had to finalize some test scenarios.
I hacked through the formatters and wrapped the async function with a sync version.
You need to install the make-synchronous and argon2 library from the terminal inside your project folder:
npm i make-synchronous argon2
In lib/formatters/crypto.js you require the make-synchronous library:
const makeSync = require("make-synchronous");
And add two new formatters:
const makeSync = require("make-synchronous");
module.exports = {
argon2hash: function (data) {
const syncHash = makeSync(async (password) => { const argon2 = require("argon2"); return argon2.hash(password, { type: argon2.argon2id }) })
return syncHash(data)
},
argon2verify: function (data, password) {
const syncVerify = makeSync(async (hash, password) => { const argon2 = require("argon2"); return argon2.verify(hash, password) })
return syncVerify(data, password)
},
Then you can use in SC.
“yourpassword”.argon2hash() -> returns a valid argon2id hash
hashedPassword.argon2verify(“passwordtoverify”) -> returns boolean
Disclaimer: I do not recommend this method and implementation. It’s a quick and dirty hack that helps me progress through my testing. I would advise to wait for a Wappler async module and proper implementation. It will also be overwritten by Wappler with each update.
4 Likes
I also want to go live with a nodeJS project with a login system in the near future.
If I understand this thread correctly, using SHA512 with a salt is not secure enough? Is it a major security flaw or will it be fine for the time being until Wappler develops the argon implementation for NodeJS projects?
(I won’t have more than a few hundred users the coming months)
No, it’s not
In my opinion Argon may be best but SHA is perfectly secure for most applications. but don’t just take my word for it.
2 Likes
Sha512 is not a security flaw by itself. You could build an acceptable algorithm with it in Wappler. But do you know how to do that? How are you going to select the salt? Is it secure enough? How will you know?
SHA family of functions were never intended to be used as a means to storing password hashes. They were intended for “digests”. To sign things in other words.
You can use a SHA function as a building block for a secure algorithm(i.e. PBKDF2-HMAC)
But on it’s own your application will be less secure than other apps using a key derivation function.
NIST doesn’t recommend using SHA functions to store “secrets”. They recommend Key Derivation Functions which SHA family are not.
Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON].
Argon2, scrypt, bcrypt and old but standardized PBKDF2 are still way better than using any SHA function.
1 Like
That is actually a pretty neat solution! Maybe @patrick should check it out and see if we can better use it like this indeed instead of going the async way.
1 Like
Instead of editing an existing formatter file you could create a new one, all files in the lib/formatters are being loaded dynamically and that would prevent your file from being overwritten.
An async method would be preferred here since the sync version would block your JavaScript thread and makes your server freeze up for a little moment while the function is executing. To allow async formatters I have to rewrite the expression parser to be async also, that will take some time but is something that I also prefer. (Will be for NodeJS exclusive since the other server models (except .net) do not support async execution)
3 Likes
Would you ‘guess’ that it might be a 2020 job?
Thanks for the tip @patrick.
Indeed. Async will always be preferred.
The app I am building isn’t planning on having too many users at the beginning. Around 1200 users at launch. And as the actual workload is created on hashing and not so much on verifying I am assuming there won’t be so much workload to end in a DoS.
1 Like
@JonL Your guess is correct. I don’t know how to build an acceptable algorithm. I looked at osme other threads like Better password encryption and honestly, I am confused.
I think my options are:
- Use SHA512 Hash for passwords right now and wait for Wappler to implement Argon2 for NodeJs
- Use SHA512 Hash for passwords + set up a random salt like so Centralise salt string references and wait for Argon2
- Try to replicate what you have done above @JonL - but you are advising to wait
Can you please advice me?
Thank you!