In the web application I’m doing it with server-side session and cookies, but what to do in electron?
Are the local and remote accounts connected ? If so you probably want the server to check for password and answer back to your application.
If you want to have a login system local only, node have a crypto module. (Do not confuse with crypto project on npm)
That crypto module implements
password based key derivation function 2 pbkdf2. The output of this function can safely be stored in plain text and you can compare those hash to validate function.
Pbkdf2 need a salt, your salt should be made of something unique to the user and something unique from your application.
"UserName|ApplicationName"could be a start. Ideal would be a large random number unique per user, but it depend if you have the infrastructure for managing and keeping those secrets. With an attacker that can use the console to view the memory of electron, the simple salt is good enough.
Default API is async. Slow is good against bruteforce.