Skip to content

Is hashing "hidden" data secure? #2

New issue
New issue
Open
Open
Is hashing "hidden" data secure?#2
Labels
question
@munro

Description

@munro
munro
opened on Jan 23, 2013

I'm creating tokens with the password as part of the hash, but not part of the public signed data. The purpose being when they change their password, it invalidates their login token. So when they bring their token back, I rehash it with their password and then compare.

Is hashing private data in this way a secure thing to do? I haven't read about it, so I'm not sure if it's a safe thing to do.

signobj({username: 'ryan'}, 'SECRET KEY', {password: 'foobar'})
/**
 * [
 *    {username: 'ryan'},
 *    'SALT',
 *    'HASH' // with password
 * ];
 */

node-signobj/index.js

Line 39 in 1bd1af2

.update(JSON.stringify(pub.concat([hidden])))

Metadata

Metadata

Assignees

No one assigned

    Labels

    question

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions