I’ve never written a user auth system before and for this project I need to balance security with efficiency (meaning I can’t spend hundreds of man hours working on the security end of this, but that I need to keep passwords and login info secure).

I’m using Node.js with the express framework and passport for authentication and sessions.

The research I’ve done so far shows three problems to solve. Before today I had literally no idea what if any common solutions exist for these problems, and a few hours of randomly pecking away at the research isn’t giving me confidence in the completeness of the answers I’ve found.

The problems:

1. Do not store plain-text passwords unencrypted in a database
   (Possible answer: salt/hash the password ON THE SERVER and store the hash in the database.)

2. Do not pass plain-text passwords over non-secure http connection
   (Possible answers: A–Use Https ONLY for the authentication process. After that use http. B–Send a random salt to the user at the login page, hash the password client side, then un-hash and re-encrypt for database storage.)

3. Do not use weak encryption methods that GPUs can crack at 700,000,000 passwords per second.
   (Possible answer: bcrypt)

These are just the most sensible possible answers I’ve found in 3 hours of research. I have no idea whether these are sufficient, what their weaknesses are or what alternatives might be available. I’d appreciate any further insight (Also note: I’m not even sure–does https protect the password sufficiently as it is transmitted?)