threads.js icon indicating copy to clipboard operation
threads.js copied to clipboard

Published 20 hours ago • verified publisher icon andywer

docs: insecure example

Open elithrar opened this issue 3 years ago • 3 comments

The current Quick Start guide shows an example where a password is hashed using SHA-256 - https://threads.js.org/getting-started

This is not a secure example, and may lead readers without a meter for secure code to copy-paste the example.

  • SHA-256 is a fast cryptographic hash, and not a key derivation function (like bcrypt or scrypt)
  • This means it is NOT suited to "hashing" passwords

I would suggest using another example entirely that doesn't rely on password hashing, but if you must use it, use the PBKDF2 algorithm from SubtleCrypto to derive a key from the user input, with sufficient rounds.

elithrar avatar May 23 '21 10:05 elithrar

Hey @elithrar, thanks for pointing out!

This is a good point indeed. Maybe let's just drop the password context and use it as a generic hashing worker instead? I am not attached to the use case, I just needed something tangible as a sample back in the day and somehow ended up with this unfortunate example.

andywer avatar May 23 '21 13:05 andywer

OK, great!

Let me PR a revised example tonight / tomorrow that aligns with that and removes "password" from the terminology.

elithrar avatar May 23 '21 14:05 elithrar

Very much appreciated!

andywer avatar May 23 '21 14:05 andywer