Any way to get a HASH(password,salt,workfactor) "Accounts" handling of my user's password?


#1

Dear all,
I am (french,) new to Meteor, and successfully self-trained myself through many tutorials, so please don’t be too rude.

To my understanding, when using accounts-password package, the users collection does not contain a “salt” attribute allowing to mitigate rainbow tables attacks and most stored hash tables that may allow a server attacker to get my user’s password in clear text.
“password” attribute handles a 120 long “bcrypt” hash…but no "salt’ neither a bcrypt “workfactor” (allowing to raise the attacker CPU cost following moore’s law)

I tried to search through all meteor related forums but, even if some posts are stating that there is a bcrypt (unique for all users) salt, I don’t see any way to protect my users as expected.

Apart from using external oauth (FB,Twitter, …), is there any way you know to better store those passwords ?
-Known packages ?
-Known core planned/unplanned features ?

Best regards


#2

Sorry about that, it appears bcrypt handles a “salt” by design

More info here

So, I am still interested by modifying the bcrypt workfactor (Default to 10) but that is less a problem than the salt was


#3

Although, I found this 1999 scientific article “A Future-Adaptable Password Scheme” explaining “bcrypt” capabilities