A secure-, idiot proof hashing module

Hello all users that doesn’t know how to hash passwords!

I’ve made a very convenient module made to hash and verify passwords, or other stuff. It supports ALL hashes that node (OpenSSL) supports. It uses a stragey called salt+hash. It also supports using keys for the shake hashes.

If you want to spectate the source code of the module you can go to https://ihacks.dev/ihack2712/ihacks-hash.

If you want to download the module on Glitch: pnpm install ihacks-hash.

Here’s a quick guide:

const { hash, test } = require("ihacks-hash");

// Hash a password:
const hashed = hash("sha512", "my password");

// Verify that some text is the same hashed.
const isValid = test(hashed, "my password");

Version 2 Update!

I’ve made an update to the module that adds support for multiple hashing rounds!

Docs

hash(hash, text, key?, rounds?, salt?)

Hash some content into a string component.

Parameter Type Optional Default Description
hash HashName No None The name of the hash you want to use.
text string No None The text you want to hash.
key string Yes undefined Whether or not to use a key whilst hashing. Recommended.
rounds number Yes 1 How many rounds to hash some content.
salt string Yes undefined The salt to use when hashing, this is only here for my convenience, do not use.

Returns: (string) The hashes content.

test(data, text, key?)

Test if some text would be equal to some hashed content when hashed.

Parameter Type Optional Default Description
data string No None The hashed string component you want to test against.
text string No None The unhashed text you want to test against the hash.
key string Yes undefined Whether or not to use a key whilst hashing. Recommended.

Returns: (boolean) Whether or not the text was the same as the data when hashed.

HashName

Type: string

HashName is an enumerable (type) of the list of supported hashing algorithms.

Example (basic hash & test)

// Import the module.
const { hash, test } = require("ihacks-hash");

// Information
const password = "MyVeryFakePassword123";

// Hash a password.
const hashed = hash("sha512", password);
const hashed2 = hash("sha512", password);

// Test the hash.
test(hashed, password); // true
hashed === hashed2; // false

Example (basic hash w/ key)

// Import the module.
const { hash, test } = require("ihacks-hash");

// Server Key
const key = "Super Secret Server Key";

// Information
const password = "MyVeryFakePassword123";

// Hash a password.
const hashed = hash("sha512", password, key);
const hashed2 = hash("sha512", password, key);

// Test the hash.
test(hashed, password, key); // true
hashed === hashed2; // false

Example (basic hash w/ multiple hashing rounds)

// Import the module.
const { hash, test } = require("ihacks-hash");

// How many rounds to hash.
const rounds = 1000; // Recommended value: 1000

// Server Key
const key = "Super Secret Server Key";

// Information
const password = "MyVeryFakePassword123";

// Hash a password.
const hashed = hash("sha512", password, key, rounds);
const hashed2 = hash("sha512", password, key, rounds);

// Test the hash.
test(hashed, password); // true
hashed === hashed2; // false

Example (basic hash w/ key & multiple hashing rounds)

// Import the module.
const { hash, test } = require("ihacks-hash");

// How many rounds to hash.
const rounds = 1000; // Recommended value: 1000

// Information
const password = "MyVeryFakePassword123";

// Hash a password.
const hashed = hash("sha512", password, null, rounds);
const hashed2 = hash("sha512", password, null, rounds);

// Test the hash.
test(hashed, password); // true
hashed === hashed2; // false
7 Likes

Hi! Love it! Looks great! What’s wrong with bcrypt though? Not everyone knows, for example, what sha512 is.

2 Likes

BCrypt has a maximum length of 72 characters.
e.g.
my-very-long-pas…rubbish-password-abc
is the same as:
my-very-long-pas…rubbish-password-bca

SHA512 is a hashing algorithm.

1 Like

where is this storing the salts?

edit: oh it’s part of the output hashed above

Yes, the salts are stored along-side the hash. Just to make it idiot-proof.

Nobody is going to have a password longer than 72chars. Also I recommend against using a fast hashing method, as there are sha512 hash to text databases. Putting a salt is useless since the attacker can just remove it and then look it up.
You should use something that you can decrease speed in like how bcrypt allows you to specify rounds to prevent brute force(maybe that’s why my website login takes 5 seconds).

@javaarchive

I will kindly ask you to do research before you criticize someone’s work, all the facts you provided were wrong (except for bcrypt allows to specify how many rounds to hash, which is something you can do with mine as well).

  1. I use LastPass with a random password generator with 99 characters long passwords, yes, I do.
  2. bcrypt is a hashing function based on the blowfish cipher.
  3. You don’t seem to know much about what hashing and salting mean. What you are referring to is called a rainbow table, this is a database where people can lookup the text for the equivalent hashes. Something the hash+salt stragey fixes. A salt cannot possibly ever be removed from the hash. A hash is a one way function and cannot be decrypted.
  4. Decreasing the speed of hashing is not a wise idea. The idea of decreasing speed is only effective when it comes to public-key cryptography, the reason why is because you want to have something called a Discrete Logarithm Problem, in very simple terms that means, you want to have something that is very quick to do, but extremely hard to undo.

SHA512 is an extremely strong hashing algorithm, but anyway I don’t force anyone to use any algorithms.

If you don’t believe me that hasing and salting isn’t preventing rainbow tables then proove it. I know I can’t proove it because it is not possible. However what I can proove is that my module is resistent to rainbow table queries:

My module supports every hashing algorithm supported by OpenSSL, heres a list:

[
  'RSA-MD4',
  'RSA-MD5',
  'RSA-MDC2',
  'RSA-RIPEMD160',
  'RSA-SHA1',
  'RSA-SHA1-2',
  'RSA-SHA224',
  'RSA-SHA256',
  'RSA-SHA3-224',
  'RSA-SHA3-256',
  'RSA-SHA3-384',
  'RSA-SHA3-512',
  'RSA-SHA384',
  'RSA-SHA512',
  'RSA-SHA512/224',
  'RSA-SHA512/256',
  'RSA-SM3',
  'blake2b512',
  'blake2s256',
  'id-rsassa-pkcs1-v1_5-with-sha3-224',
  'id-rsassa-pkcs1-v1_5-with-sha3-256',
  'id-rsassa-pkcs1-v1_5-with-sha3-384',
  'id-rsassa-pkcs1-v1_5-with-sha3-512',
  'md4',
  'md4WithRSAEncryption',
  'md5',
  'md5-sha1',
  'md5WithRSAEncryption',
  'mdc2',
  'mdc2WithRSA',
  'ripemd',
  'ripemd160',
  'ripemd160WithRSA',
  'rmd160',
  'sha1',
  'sha1WithRSAEncryption',
  'sha224',
  'sha224WithRSAEncryption',
  'sha256',
  'sha256WithRSAEncryption',
  'sha3-224',
  'sha3-256',
  'sha3-384',
  'sha3-512',
  'sha384',
  'sha384WithRSAEncryption',
  'sha512',
  'sha512-224',
  'sha512-224WithRSAEncryption',
  'sha512-256',
  'sha512-256WithRSAEncryption',
  'sha512WithRSAEncryption',
  'shake128',
  'shake256',
  'sm3',
  'sm3WithRSAEncryption',
  'ssl3-md5',
  'ssl3-sha1',
  'whirlpool'
]
2 Likes

I’ve previously used passwords with lengths like that.

2 Likes

Why don’t you count preventing brute force, as @javaarchive mentioned, as an effective use? Sorry if this won’t appeal to someone who’d rather tell others to do research, but if anyone else reading is interested in looking up the literature, the technique is referred to as “key stretching.” And it’s not limited to slowing down the hashing per se; there are techniques, for example, to increase the required memory as well.

By the way, forcing users to use a certain one could be a good opportunity to make this module more idiot-proof. I understand that you and I don’t agree on what’s the best algorithm right now, but I hope you’ll agree that there are bad options in that huge list of algorithms that OpenSSL supports.

3 Likes

Hey @wh0, that is great feedback!

Technically SHA512 is already a slow hashing algorithm compared to others, I feel it is already slow enough to prevent mass brute-force. Anyhow, if you don’t feel that one hashing round is enough then my module don’t prevent you from rounding. I am actually already working on a rounding functionality for my module, a few people have contacted me on my discord regarding the module. I will announce how all the things in my module work when I’ve released my current project.

Now that you mention it, some of the hashing algorithms are deprecated. I.e. SHA1 or MD5 hashes. I still don’t want to prevent users from using MD5 if they please like it. I am however going to implement a deprecation warning for poor hashing algorithms.

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

2 Likes

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

1 Like

hi! if you make a public glitch app that’s a working/remixable example how to use this, i can add it to a collection i’m making of apps shared here in “The Gallery”

4 Likes

If you give me a couple hours I’ll have a project running! I’m just going to have to finish my update for the package :slight_smile:

For security reasons, I recommend that anybody who needs real security doesn’t use this. You can refer to this crypto.SE question. The consensus is to use bcrypt, scrypt, PBKDF2, or even Argon2 in some test cases. The list of algorithms you provided aren’t any of these so this is more a test package before you install scrypt, PBKDF2, bcrypt, and if you want, Argon2. Remember these hash functions I provided are good for password hashing, not other things that the other hashes listed in this package do. I am posting this since these algorithms are being used for password hashing in this module. Fast hash functions should never be used in applications where security is actually required.

4 Likes

That is great feedback, and as I’m writing this I am actually working on implementations of PBKDF2 and Argon2. The strategy I’m using now is very similar to PBKDF2 and also has the same effect.

P.S. Upon writing the module I was already aware of bcrypt, argon2 and PKKDF2. Never heard of scrypt though… I’ll do a read on that later.

This post was flagged by the community and is temporarily hidden.

1 Like