Passport.js Local Strategy + bcrypt + Hashed password stored in dotenv environment variables - is this is a safe method?

Question

I'm creating a simple admin dashboard using Node and Express that only me and 2 others would use and I decided to use a simple password to get access to the dashboard. I want to keep this as a light application so I don't want to use a full dedicated database just to store one password.

Instead, I'm using a Password.js local strategy with bcrypt to check if the password entered matches the 10 round hash that I store in an environment variable (accessed as say, process.env.HASH). Is this a safe way of authenticating, or is there a better method to do this without a database?

score 0 · Answer 1 · answered Oct 14 '20 at 15:56

0

I'm no expert but that sounds pretty safe to me.

The hash is safe so long as it's kept out of public code repos.

It seems easy to change if it gets compromised.

answered Oct 14 '20 at 15:56

OxygenThief

64
3

Passport.js Local Strategy + bcrypt + Hashed password stored in dotenv environment variables - is this is a safe method?

1 Answers1