Store the Secret in a Safe Place

Let’s start with storage—you have to store the password somewhere so that you can validate that the user knows the secret. There’s a big difference between saving the password and saving the password securely.

First off, and I do hope I stress this enough, never, ever store passwords in plain text. That’s just asking for trouble. You may think that people who will see the passwords will already have access to the data—so what’s the big deal. Oh, how wrong you would be.

There are two important differences between storing passwords in plain text and hashed: impersonation and collateral damage. First off, seeing the password in hashed format will not allow you to simply log in as the user because you still don’t ...

Get Secure Your Node.js Web Application now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.