node-argon2 VS frank_jwt

❓ Why is hashing and salting passwords mandatory? A salt is simply a random data used as an additional input to the hashing function to safeguard your password. The random string from the salt makes the hash unpredictable. A password hash involves converting the password into an alphanumeric string using specialized algorithms. Hashing and salting are irreversible and ensure that even if someone gains access to the hashed passwords, they will not be able to decrypt them to recover the original passwords. Hystorically bcrypt is recognized as the best hashing algorithm. However, in terms of robustness against all the new cryptographic attacks targeting hashing algorithms, the current clear winner is argon2. However, since the “youth" (2015) of this algorithm, I chose to use bcrypt

Argon2: this is the newest highly recommended algorithm, and recommended by OWASP. (Edit: originally linked to a low-download library.)

Though I am using bcrypt to hash passwords, recommended approach currently is argon2

As per security.stackexchange.com the recommended number of rounds for Bcrypt is a number such that it takes atleast 250 ms to hash your password. Argon2 on the other hand takes multiple parameters it seems. What is the equivalent configuration you need for Argon2? I am talking about an express webserver here with passportjs if that helps

If you already have Bcrypt & want to start converting to Argon2, check out this guide → https://github.com/ranisalt/node-argon2/wiki/Migrating-from-another-hash-function

You can look at the argon2 npm (https://www.npmjs.com/package/argon2).

NOTE: Never store sensitive information about a client in the payload as the JWT is just encoded and not encrypted. You can paste the JWT I gave as an example above in this cool site which basically allows you to see in decoded. JSON Web Tokens - jwt.io

Although they did not make it into production, I experimented with the RabbitMQ message broker, Python (Django, Flask), Kubernetes + minikube, JWT, and NGINX. This was a hobby project, but I intended to learn about microservices along the way.

JSON Web Token (JWT) creation to extend user authentication to server-side functions

The (probably) most famous web resource about JWT - https://jwt.io - provides such a definition of JSON Web Tokens:

If you want to play with JWT and put these concepts into practice, you can use jwt.ioDebugger to decode, verify, and generate JWTs.

In this context, JSON Web Tokens (JWTs) play a crucial role.

Json Web Token (JWT): Even though it is more like an industry standard, we will use JWTs for stateless authentication in this article. If you want to learn more, you can refer to the official documentation.

Se pegar o token jwt podemos ver o que tem dentro, usando o site jwt.io.

JWT token is not encrypted, it's just base64UrlEncoded. So, don't put any sensitive information in payload. Meaning, if for some reason an access token is stolen, an attacker will be able to decode it and see information in payload.Check it here.