43

I'm currently learning about encryption and password safety in NodeJS. I'm working with a current example that currently is using PBKDF2, I'd like to switch this out to use SHA256 instead. Is this possible and/or make sense? How would I go about it?

var crypto = require('crypto');

var len = 128;

var iterations = 13000;

module.exports = function (pwd, salt, fn) {
  if (3 == arguments.length) {
    crypto.pbkdf2(pwd, salt, iterations, len, fn);
  } else {
    fn = salt;
    crypto.randomBytes(len, function(err, salt){
      if (err) return fn(err);
      salt = salt.toString('base64');
      crypto.pbkdf2(pwd, salt, iterations, len, function(err, hash){
        if (err) return fn(err);
        fn(null, salt, hash);
      });
    });
  }
};
Dustin
  • 6,207
  • 19
  • 61
  • 93
  • 1
    This may help you http://stackoverflow.com/questions/13714103/hashing-a-password-using-sha256-and-net-node-js – y-- Oct 07 '13 at 23:08
  • 2
    This is a fairly good summary of password hashing: https://crackstation.net/hashing-security.htm – ntoskrnl Oct 08 '13 at 16:00
  • https://www.npmjs.com/package/sha256 Check this module – James111 Dec 23 '15 at 06:35
  • 2
    _Please_ do not use sha256 for password hashing https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords – user196499 Mar 03 '18 at 03:21

1 Answers1

88

If wanted to generate sha256 hashes, then you'd have to drop the iterations and length property as those are specific to pbkdf2. You would then use crypto.createHash() which uses OpenSSL to generate hashes. That being said, the types of hashes you can generate are dependent on the version of OpenSSL that you have installed.

var crypto = require('crypto');
var hash = crypto.createHash('sha256').update(pwd).digest('base64');

Your specific implementation might look like this:

var crypto = require('crypto');
module.exports = function(pwd, fn) {
  var hash = crypto.createHash('sha256').update(pwd).digest('base64');
  fn(null, hash);
};
hexacyanide
  • 88,222
  • 31
  • 159
  • 162
  • 10
    Actually to generate a password hashed in sha256, you have to use digest 'hex': var hash = crypto.createHash('sha256').update(pwd).digest('hex'); – Vadorequest Jan 12 '14 at 13:01
  • 11
    The hash is still `sha256`, it's just in a different encoding. The person who asked the question also used `base64` as his encoding, therefore, I answered like so. – hexacyanide Jan 12 '14 at 17:08
  • 7
    Yeah, it's just that I guess some people don't manage encoding and want a result in basic SHA256 (such as me), I used some time to understand it so I just wanted to help for the nexts :p – Vadorequest Jan 12 '14 at 17:30
  • 1
    Hi, This is nothing but encryption. Can you please let me know how to decrypt?. – user740189 Mar 22 '19 at 09:55
  • 2
    Hi @user740189, `SHA` is a one way algorithm, a hashing algorithm. It is not meant to be reversed and can't be. A hashing algorithm is meant to represent data in a unique way. It is not meant to store data. – Elliot Huffman Apr 06 '19 at 00:14