We have an existing database that uses pbkdf2:sha256 to hash passwords. I want to use the custom database login script to connect to our database an verify our existing password hashes.
When I try to require(‘pbkdf2-sha256’) I get an error Cannot find module ‘pbkdf2-sha256’ is it possible to use pbkdf2-sha256 in a custom login function?
If you want to compare a password hashed with pbkdf2, you should be able to use the built-in crypto library for configured with the expected digest function. Read more about this here:
How you call this will depend on your exact configuration when generating the hash, but here’s an example to get you started:
crypto.pbkdf2(password, salt, iterations, keyLength, 'sha256', function(err, key) {
if (err) { return callback(err); }
if (key.toString('hex') === hash) { /* password matches */ }
});
To compare the hashes, we recommend a method like crypto.timingSafeEqual to avoid timing attacks.