1

We have an existing app which is developed using rails but we are migrating to loopback. One of the issue we are facing is different encryption method for password. We have used AES encryption method whereas loopback uses bcrypt. I have two questions

  1. which encryption (AES or bcrypt way) is better
  2. If we were to implement bcrypt then would it be consistent to login from web as well as from API. I know we have used salt (basic).

Please suggest.

Thanks, Raj

Raj Lalwani
  • 391
  • 1
  • 6
  • 14

1 Answers1

0

AES doesn't make much sense for password storage: it's an encryption algorithm (not a hashing algorithm). For storing passwords, you should always be using bcrypt no matter what.

You also don't want to login to an API using your username/password (eg: bcrypt). You want to generate API keys (random uuids) specifically for an API user to auth with -- this reduces the risk of leaking user credentials (username/password) publicly, which could cause huge breaches.

rdegges
  • 32,786
  • 20
  • 85
  • 109