Password Security

Hey Everyone,

I just want to see if I'm using a decent method of storing passwords in an AWS database.

The passwords are generated using PBKDF2, and stored in my database as a salt, and a hash like so:

This database isn't securing any sort of financial or ultra sensitive data - but i obviously do not want it to just be freely accessible.

Here is the code im using in my retool app for verifying the user/password

let pass =
let user =

let result = await Login.trigger({additionalScope:{"username":user,"password":pass}})

let salt = result.pword_salt[0]
let hash = result.pword_hash[0]


var key = CryptoJS.PBKDF2(pass, salt, {
  keySize: 128 / 32

if(key.words.toString() == JSON.parse(hash).toString()){
  utils.showNotification({title:"Success",description:"Logged In!",notificationType:"success",duration:1})
  utils.showNotification({title:"Invalid Password",description:"Password Incorrect",notificationType:"error",duration:5})

Just looking for some feedback, or suggestions, or glaring issues!
the biggest one i see is that if a user knows the local storage key im using - they could just go in the console on the page and set the 'loggedIn' value to true, right? what would be a better way to track that they have logged in, for example if they refresh the page?



Hi there msd5079,
You have a really good start here, however your intuition here is right in regards to localStorage tampering. Users can tamper with localStorage values, setting loggedIn to true. Instead, use a more secure method such as session tokens.

Upon a successful login, generate a session token and store it in a secure cookie. This makes it less accessible to JavaScript running in the browser. Then validate the token on each request to ensure the user is authenticated.