Store the Secret in a Safe Place
Let’s start with storage—you have to store the password somewhere so that you can validate that the user knows the secret. There’s a big difference between saving the password and saving the password securely.
First off, and I do hope I stress this enough, never, ever store passwords in plain text. That’s just asking for trouble. You may think that people who will see the passwords will already have access to the data—so what’s the big deal. Oh, how wrong you would be.
There are two important differences between storing passwords in plain text and hashed: impersonation and collateral damage. First off, seeing the password in hashed format will not allow you to simply log in as the user because you still don’t ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.