0

So I am trying to import a csv file into my mongo db. The fields include a username and a password, which is a string. I am able to successfully import the file, but the password is being stored as a string only. But my db stores hashed passwords, and has a salt field. I want to know if I can force mongo to hash the password before importing it into the db. Is there a command or will I have to find another way? Any suggestions are highly appreciated.

Please note that I am able to import all the data successfully, I just want to know how to hash the users password on import and then store it.

kvnam
  • 1,285
  • 2
  • 19
  • 34
  • so your password was stored as a string and now you want to create a hash out of it? – Salvador Dali May 09 '15 at 07:16
  • yes, it is a string in my csv file, but I want to create a hashed version before inserting into mongodb. In my regular user registration Mongoose takes care of the hashing in the pre('save'), but in this case its obviously not called as I am using mongoimport – kvnam May 09 '15 at 07:21

1 Answers1

0

There is no option "hash my password" in mongo import/restore. What I would do is to restore the dump as is and then update the fields value based on this value

db.yourCollection.find({}).forEach(function(doc) {
  doc.F1 = yourHashCalcFunction(doc.F1);
  db.yourCollection.save(doc);
});
Community
  • 1
  • 1
Salvador Dali
  • 214,103
  • 147
  • 703
  • 753
  • The one issue here is that at some point, you will send and write the unhashed password on the server. So if that later is somehow subverted, one might have access to those sensible data (even if they are "removed" -- think about some sector dump of the disk). – Sylvain Leroux May 09 '15 at 07:34
  • Jeez, thanks going to go try this one out, quick question though. I use Mongoose, which uses Crypto to hash passwords, now in order to have the user successfully log in, I would need to hash the passwords using the same functions right?Apologies for ignorance, this is my first time working with the MEAN stack – kvnam May 09 '15 at 07:35
  • 2
    @SylvainLeroux so why not to do this on your local machine, then do mongodump and then restore this new mongodump. – Salvador Dali May 09 '15 at 07:44
  • @monologish this sounds right, but I would consult the documentation of whatever cryptolibrary you use. – Salvador Dali May 09 '15 at 07:45
  • @SylvainLeroux - I am planning to do just that - create the db after import from my original csv file and complete the hashing process on my local machine, then export this db containing hashed pwds and salt, and then import that to db on my server – kvnam May 09 '15 at 07:49
  • @SalvadorDali - Haven't finished the hashing process yet, but will mark your answer the moment I am done. Thanks. – kvnam May 09 '15 at 07:50
  • 1
    @mongolish You should understand what you are doing *first* ;) Storing the salt in the database makes it easier for an attacker who obtained read access to the database to use a brute force or dictionary attack on those hashed passwords. The whole idea of adding salt is that an attacker with read access to the hashed text has an unknown factor to deal with. It is considered best practise to store the salt in a different data source, for example a config file and make it accessible only to the authentication service. – Markus W Mahlberg May 09 '15 at 09:42
  • @MarkusWMahlberg Agreed :D..thanks for bringing this to my notice, reading up on it now. – kvnam May 10 '15 at 06:04