Password Security

Hey Everyone,

I just want to see if I'm using a decent method of storing passwords in an AWS database.

The passwords are generated using PBKDF2, and stored in my database as a salt, and a hash like so:
image

This database isn't securing any sort of financial or ultra sensitive data - but i obviously do not want it to just be freely accessible.

Here is the code im using in my retool app for verifying the user/password

let pass = form1.data.password
let user = form1.data.username

let result = await Login.trigger({additionalScope:{"username":user,"password":pass}})

let salt = result.pword_salt[0]
let hash = result.pword_hash[0]

console.log(pass,user,result)

var key = CryptoJS.PBKDF2(pass, salt, {
  keySize: 128 / 32
});

if(key.words.toString() == JSON.parse(hash).toString()){
  utils.showNotification({title:"Success",description:"Logged In!",notificationType:"success",duration:1})
  localStorage.setValue("loggedIn",true)
  checkAccess.trigger()
}else{
  utils.showNotification({title:"Invalid Password",description:"Password Incorrect",notificationType:"error",duration:5})
}

Just looking for some feedback, or suggestions, or glaring issues!
the biggest one i see is that if a user knows the local storage key im using - they could just go in the console on the page and set the 'loggedIn' value to true, right? what would be a better way to track that they have logged in, for example if they refresh the page?

Thanks!

2 Likes

Hi there msd5079,
You have a really good start here, however your intuition here is right in regards to localStorage tampering. Users can tamper with localStorage values, setting loggedIn to true. Instead, use a more secure method such as session tokens.

Upon a successful login, generate a session token and store it in a secure cookie. This makes it less accessible to JavaScript running in the browser. Then validate the token on each request to ensure the user is authenticated.

3 Likes