Is this method of hashing passwords good? Node.js

I am currently developing a login for my website, (Using node.js and MySQL) and would like some feedback on the password hashing code.

const crypto = require('crypto');  function RandomSaltString(length) {      return crypto.randomBytes(Math.ceil(length/2))//I have absolutely no idea what this is         .toString('hex')        //And this         .slice(0,length);      //Well I think know this thought  };  function Hash(password, salt) {     var hash = crypto.createHmac('sha512', salt);     hash.update(password);      return hash.digest('hex'); };  function preparePasswordForStorage(password) {      var salt = randomString(20);     const hashedPassword = hashFunc(password, salt);      //Will encrypt the hashed password and salt here once I figure it out.      return {         hashedPass: hashedPassword,         salt: salt      //Will be stored in db directly after this.     } }; 

I know this isnt exactly a node.js sub, but well yeah. Thanks in advance guys!

How do universities and schools securely sync passwords between multiple services?

I’m a student and it seems every school or university I have been to has one password that you set for your user account for logging in to university services, which is also then synced to external services the university use such as blackboard, fronter, dropbox, Office 365 e-mail, etc.

Lesson 1 of cybersecurity is not to store passwords in plain text or to encrypt them. But instead to use some sort of hashing algorithm. If this is true how can a university’s IT service automatically sync password for all the relevant accounts? I can understand how this can be done by using APIs each time to update all the services when a password change has been requested, but it would then make it impossible to adopt a new service without the user re-entering their password.

How is it done? or are they just holding passwords in plain text?

Is a password manager better than an encrypted file for storing passwords?

For any passwords other than websites I log into regularly (such as Gmail, Facebook, etc.), I use apg to generate a random 20 character password. I then add that password and a username or email address to a text file I keep stored in an encrypted VeraCrypt volume (password for that exists solely in my head).

In light of the Collection #1 breach, I’m planning to go through and change some of my passwords, and I’m wondering about the benefits of using a password manager such as Encryptr or Gnome Keyring. I usually use Mint with Cinnamon.

Is storing passwords in an encrypted file considered adequate for most peoples’ needs? Even if it is, are there other benefits to using a password manager?

Many websites allow passwords equal to username or e-mail address. Is this not a security risk?

I’m currently testing password policies on websites to get a feeling for what might be an acceptable policy/trade-off that provides good protection for our users without frustrating them.

I was surprised to find out that each and every website I tested allowed me to set a password that was equal to my username or e-mail address. If it couldn’t be set to the username, it was only because it didn’t meet the minimum length requirement. Equal to e-mail address worked every time. Even on sites that had rather strict policies otherwise.

Instinctively, I would think that this is no more secure than using a stupid password, such as “1234” or “password”. I’m also pretty sure that NIST SP 800-63B advises against such context-specific passwords (i.e. containing application name, username or user e-mail address). Unfortunately, I cannot verify this claim, as the NIST publication seems to be currently unavailable due to the US government shutdown.

Am I wrong in thinking that such context-specific passwords should be treated in the same manner as “stupid” passwords? If yes, what am I not seeing?

Checking if my passwords are among the stolen ones

There is a new big case of stolen login/password data in the news: https://www.forbes.com/sites/daveywinder/2019/01/17/collection-1-more-than-770m-people-pwned-in-biggest-stolen-data-dump-yet/?ss=cybersecurity#1cc1b07e509f

At the same time, I am reading that there are services that let you check if your own login data is affected, e.g. this one: https://haveibeenpwned.com

Is it safe to enter my email address there to find out whether I need to change my passwords?

If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password?

If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password? Wouldn’t the two passwords be totally different since one is hashed, and unable to be reversed?

What do we do when passwords are not secure anymore?

During an intense shower thought train. I began to think about a hypothetical world where passwords were no longer a safe way of protecting systems. Whether computers became too powerful and could brute force anything, or some magic program was released doesn’t matter here.

If passwords where out of the picture, how would the general public go about securing their computers and online accounts?

KeePassXC for managing passwords, threat model: Entire world actively trying to decrypt my password given the file

I use KeePassXC on a Linux distribution for managing my passwords.

For the sake of the argument, let’s assume that the file is publicly accessible, and the entire world’s number 1 priority for the next 100 years is to try to decrypt my kdbx file. No more Facebook, no more extra activities, the whole manpower of the world (Including individuals, corporations, organizations and so on) is suddenly dedicated to this in the best of their ability and knowledge, 18 hours a day, for the next 100 years.

Let’s also assume, for the sake of the argument, that me and my computer are out of the equation (no Rubber-hose cryptanalysis, no system hacking, etc), all the world has it’s the kdbx file, the protocol info (below) and some hints about the password.

Details: Encryption Algorithm: AES 256 Bit Key Derivation function: Argon2 (KDBX4) Transform rounds: 11, Memory usage 64 MiB Parallelism 4 Threads, (Benchmarked for 1 second delay). Only Password, no key file.

Password: 49 characters, that don’t include words in the dictionary (perhaps just accidentally, 3-letter words), however, not even randomly generated.

The question is: how likely is it that the file is decrypted within 100 years?

How can I upload an SSH key to a system that doesn’t use passwords?

I would like to create a public/private keypair and upload the public key to a server that I want to log onto.

However, that server has already been configured to allow no password authentication of any kind – only key based authentication is allowed.

How do I upload my public key to that system ? I have no way to log in …

Just to be clear – I understand very well how to scp my public key to the remote .ssh/authorized_keys file – that is not the issue – the problem is, if password auth is disabled, how can I get the key to them in the first place ?