21 comments

[ 3.4 ms ] story [ 67.0 ms ] thread
(comment deleted)
So... while this is cool and all, this isn't anything revolutionary or even 'new' that couldn't have been done in any other scripting language/framework (and, in fact, I daresay it could've probably been done faster in another language/framework).

While I believe Node is pretty frickin' awesome, I don't see a point in glorifying concepts that have already been done to death. Nodes entire architecture allows so many more possibilities than just a HackerNews clone, so let's see it instead of constantly reinventing the wheel.

I chose Node.js for no reason other than Fun. Coffeescript gives it a good spike as well.

Klonoar, follow the github repo for future diversions from HN, or make a pull request and I'll see it through to the live site.

> crypto.createHash('md5').update(password).digest('base64')

Any reason you chose md5? Props for at least salting and running it 1000 times.

No, I just wanted a well optimized hash function. Would you suggest another?
Certainly would, although SHA1 is being phased out, it's probably still "ok" to use, but I wouldn't choose it if I wanted the project to achieve maximum longevity, I'd choose a later family of SHA, SHA2. It will be slower, but you won't end up looking like gawker. Since node just uses openssl you have quite a collection of message digest algorithms to choose from. Run an "openssl speed" on your server to get a benchmark of different algorithms.

Edit:

    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

    md5              24629.04k    83750.79k   226739.03k   391874.18k   509285.72k

    sha1             24185.38k    75777.49k   177806.76k   263012.01k   305498.58k

    sha256           17504.41k    42089.29k    84845.06k   108628.53k   120801.96k

    sha512           13258.86k    57601.03k   101861.29k   155866.45k   188783.13k
Also, you're using iterating 1000 times for all users, you can mix it up and store that with the user in mongo. (1000-1000+). You might also want to serve up your login and any pages requiring some form of authorised behaviours using https. (Prevent auth token theft and password sniffing).

Also when validating user input for passwords, are you sure it's isAlphanumeric() that you want? Some users like to have non alphanumeric characters in their passwords. If it's just an attempt to stop xss/injection then I believe node-validator supports that without restricting you to alphanumeric characters only.

I think the general consensus post Gawker hacking was that hashing alone was inadequate and that for greater security you should use bcrypt as it takes so much longer to run attacks.
Let me be the first to say, good job. It's great to see node and coffe getting more love as they're both really fun and neat. I see you're setting up a sandbox for us HNers which is probably best to show HN something they can actually use and draw some more attention towards your project.

Heres an idea for you, we all seem to love delicious and bookmarks. Why not integrate bookmarking into this project (private by default) but allow the use of 'publishing' to ycatalyst, or viewing previous discussions on already 'published' bookmarks/topics. You could then generate 'site' posts which are from hot/popular bookmarks, (I'd also try to keep who bookmarked it private by default).

Sounds easy and useful.
"password must be 5 to 20 characters".

Why 20? Where did that number come from?

too short? too long? i just wanted to cap it somewhere.
Too short. Why the need for a cap? Its hashed anyhow right?
yeah. I'll cap it at 1024 then.
nice seeing my lib (validator) in use. Also, damn CoffeeScript is sexy