Comments (6)
@mwawrusch thanks for the heads up! You're absolutely right! I thought the secret should be enough, but salting each user is definitely a better practice.
from serverless-graphql.
I would recommend against hashing passwords, even with salt, as they are fairly easy to crack.
Instead, a key derivation function like https://www.npmjs.com/package/bcrypt-nodejs can provide much better security. (I've used that package with Serverless; it doesn't require native libraries.)
from serverless-graphql.
+1
Salted passwords are much much harder to crack than unsalted ones (salted password protect against rainbow table lookups and brute force). That being said, key derivation functions (like bcrypt) will make it all but impossible for an attacker who might gain access to the password database to be able to reverse the passwords that are stored. It will however increase the runtime of the functions that check the password proportionally to the number of derivation iterations. The point of key derivation functions is to make them computationally expensive and slow.
from serverless-graphql.
+1
This should be the default, but maybe we should mention the hashing
optionin the README since Lambda charges based on computation-time. Users
can do their own cost-benefit analysis.
On Mon, 28 Mar 2016 at 13:17 Mark Steele [email protected] wrote:
+1
Salted passwords are much much harder to crack than unsalted ones (salted
password protect against rainbow table lookups and brute force). That being
said, key derivation functions (like bcrypt) will make it all but
impossible for an attacker who might gain access to the password database
to be able to reverse the passwords that are stored. It will however
increase the runtime of the functions that check the password
proportionally to the number of derivation iterations. The point of key
derivation functions is to make them computationally expensive and slow.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#16 (comment)
from serverless-graphql.
+1 for bcrypt - should have mentioned that ;-)
from serverless-graphql.
bcrypt and salting added! Thank you all for your feedback! 😊
from serverless-graphql.
Related Issues (20)
- An error occurred: GraphiqlLambdaFunction - Value of property Variables must be an object with String (or simple type) properties. HOT 1
- Use AppSync with Amazon RDS HOT 10
- Add aws Amplify Client HOT 1
- Unable to connect client to appsync api. HOT 3
- Fix missing query arg in apollo-client
- AppSync & RDS HOT 4
- Region AppSync <> DynamoDB HOT 1
- How does @aws_subscribe work in a Apollo + Lambda work?
- Error: only one instance of babel-polyfill is allowed HOT 8
- Appsync OPENID_CONNECT support? HOT 3
- Configuration for app-backend/appsync/dynamo? HOT 1
- Error: DynamoRole already exists HOT 1
- Migrate app-backend/rest-api to Apollo Server 2.0 HOT 4
- Bump babel/jest/webpack dependencies
- Playground is and graphiql loading with error HOT 1
- Request AppSync DataSource HTTP type
- Got error when run yarn install HOT 3
- Yarn start in `app-backend/dynamodb` does not start dynamodb on port 8000 HOT 1
- multiple @connection to same child table possible? HOT 1
- Batch mutations seem to create separate AWS Lambda invocations
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serverless-graphql.