Which library is the best for encryption in phoenix?

greatisgreat · December 1, 2020, 5:28pm

I would like to know which library is the best for encryption in phoenix or can i just use Plug.Crypto.MessageEncryptor? I want to encrypt a password that the user send us

Thanks

hauleth · December 1, 2020, 11:18pm

What and why you want to encrypt?

greatisgreat · December 2, 2020, 2:34am

i want to encrypt the password and store it in the database

kokolegorille · December 2, 2020, 2:40am

There are some…

argon2_elixir
bcrypt_elixir
pbkdf2_elixir

You might find them on hex.pm

greatisgreat · December 2, 2020, 3:02am

But cant i just use Plug.Crypto.MessageEncryptor for encrypting the password?

kokolegorille · December 2, 2020, 3:09am

Those mentionned are for this task…

greatisgreat · December 2, 2020, 3:26am

why do you recommend using these libraries over Plug.Crypto.MessageEncryptor for encrypting the passwords and storing it in the database?

kokolegorille · December 2, 2020, 3:28am

Because of topic’s title…

greatisgreat · December 2, 2020, 3:29am

so will you recommend using these libraries over Plug.Crypto.MessageEncryptor?

kokolegorille · December 2, 2020, 3:40am

Yes, I would recommend those libraries for the requested task.

While I would use Plug.Crypto.MessageEncryptor for encrypting communication.

sb8244 · December 2, 2020, 5:36am

You don’t want passwords to be decrypted… Or else someone could maliciously do that and the passwords are leaked.

The 3 libraries mentioned are all hashing libraries. That means that the data goes in and (in theory) can never come back out again.

I might suggest using a prebuilt user login solution like pow if you are not sure what the difference is. User data is important to keep private.

Aetherus · December 2, 2020, 8:28am

All the methods listed by @kokolegorille are hashing methods that are irreversible, and they are all designed to be slow so that it’s infeasible to brute-force the original password.

PBKDF2 is CPU-proof (meaning you are unable to crack the original password using only some CPUs) but not GPU-proof.
BCrypt is both CPU-proof and GPU-proof, but may be vulnerable to quantum computers.
Argon2 is safe to all known brute-force and rainbow table attacking vectors.

hauleth · December 2, 2020, 9:49am

You should never, ever, EVER encrypt passwords for storage. You always hash them with KDF like already mentioned by @kokolegorille. In exactly the same order they listed them:

Argon2
If above is out of question then crypt
If none of the above fits the bill (or you need to be NIST certified) then you go with PBKDF2

Alternatively there are other algorithms, but as you asked this question, then I would say that you should use one of the mentioned above.

kenny-evitt · December 8, 2020, 4:16pm

There’s an ‘official’ Phoenix auth generator that’s very nice:

Overview — phx_gen_auth v0.6.0

I ran the Mix task for the generator on a project recently and adapted the generated code. I used Argon2 for password hashing.

comeonin – something like the standard password hashing ‘interface’ – recommends using Argon2:

riverrun/comeonin: Password hashing specification for the Elixir programming language