Dear all,
I am (french,) new to Meteor, and successfully self-trained myself through many tutorials, so please don’t be too rude.
To my understanding, when using accounts-password package, the users collection does not contain a “salt” attribute allowing to mitigate rainbow tables attacks and most stored hash tables that may allow a server attacker to get my user’s password in clear text.
“password” attribute handles a 120 long “bcrypt” hash…but no "salt’ neither a bcrypt “workfactor” (allowing to raise the attacker CPU cost following moore’s law)
I tried to search through all meteor related forums but, even if some posts are stating that there is a bcrypt (unique for all users) salt, I don’t see any way to protect my users as expected.
Apart from using external oauth (FB,Twitter, …), is there any way you know to better store those passwords ?
-Known packages ?
-Known core planned/unplanned features ?
Best regards