@node-rs/argon2

What is @node-rs/argon2?

@node-rs/argon2 is a Node.js binding for the Argon2 password hashing algorithm, which is designed to be memory-hard and CPU-intensive to resist brute-force attacks. This package provides a fast and efficient way to hash and verify passwords using Argon2.

What are @node-rs/argon2's main functionalities?

Hashing a password

This feature allows you to hash a password using the Argon2 algorithm. The code sample demonstrates how to hash a password asynchronously and log the resulting hash.

const argon2 = require('@node-rs/argon2');
(async () => {
  const hash = await argon2.hash('password123');
  console.log(hash);
})();

Verifying a password

This feature allows you to verify a password against a previously generated hash. The code sample demonstrates how to hash a password and then verify it, logging the result of the verification.

const argon2 = require('@node-rs/argon2');
(async () => {
  const hash = await argon2.hash('password123');
  const isValid = await argon2.verify(hash, 'password123');
  console.log(isValid); // true
})();

Other packages similar to @node-rs/argon2

argon2

The 'argon2' package is another Node.js binding for the Argon2 password hashing algorithm. It provides similar functionality to @node-rs/argon2, including hashing and verifying passwords. However, @node-rs/argon2 is known for its performance improvements and efficiency due to its Rust-based implementation.

bcrypt

The 'bcrypt' package is a popular alternative for password hashing in Node.js. It uses the bcrypt algorithm, which is also designed to be computationally expensive to resist brute-force attacks. While bcrypt is widely used and trusted, Argon2 (used by @node-rs/argon2) is considered to be more secure due to its memory-hard properties.

scrypt

The 'scrypt' package provides bindings for the scrypt key derivation function, which is another algorithm designed to be memory-hard and resistant to brute-force attacks. Similar to @node-rs/argon2, scrypt is used for secure password hashing, but Argon2 is generally preferred for its modern design and security features.

README

@node-rs/argon2

RustCrypto: Argon2 binding for Node.js.

Argon2 is a key derivation function that was selected as the winner of the Password Hashing Competition(PHC) in July 2015.

Argon2 summarizes the state of the art in the design of memory-hard functions and can be used to hash passwords for credential storage, key derivation, or other applications.

It has a simple design aimed at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks (by exploiting the cache and memory organization of the recent processors).

Features

• Faster performance.

• No node-gyp and postinstall.

• Cross-platform support, including Apple M1.

• Smaller file size after npm installation(476K vs node-argon2 3.7M).

• @node-rs/argon2 supports all three algorithms:

  • Argon2i: Optimizes against GPU cracking attacks but vulnerable to side-channels. Accesses the memory array in a password dependent order, reducing the possibility of time–memory tradeoff (TMTO) attacks.
  • Argon2d: Optimized to resist side-channel attacks. Accesses the memory array in a password independent order, increasing the possibility of time-memory tradeoff (TMTO) attacks.
  • Argon2id: default value, this is the default algorithm for normative recommendations. Hybrid that mixes Argon2i and Argon2d passes. Uses the Argon2i approach for the first half pass over memory and Argon2d approach for subsequent passes. This effectively places it in the “middle” between the other two: it doesn’t provide as good TMTO/GPU cracking resistance as Argon2d, nor as good of side-channel resistance as Argon2i, but overall provides the most well-rounded approach to both classes of attacks.

Benchmarks

See benchmark/.

API

export const enum Algorithm {
  Argon2d = 0,
  Argon2i = 1,
  Argon2id = 2,
}
export const enum Version {
  /** Version 16 (0x10 in hex) */
  V0x10 = 0,
  /**
   * Default value
   * Version 19 (0x13 in hex, default)
   */
  V0x13 = 1,
}
export interface Options {
  /**
   * The amount of memory to be used by the hash function, in kilobytes. Each thread will have a memory pool of this size. Note that large values for highly concurrent usage will cause starvation and thrashing if your system memory gets full.
   *
   * Value is an integer in decimal (1 to 10 digits), between 1 and (2^32)-1.
   *
   * The default value is 4096, meaning a pool of 4 MiB per thread.
   */
  memoryCost?: number | undefined | null
  /**
   * The time cost is the amount of passes (iterations) used by the hash function. It increases hash strength at the cost of time required to compute.
   *
   * Value is an integer in decimal (1 to 10 digits), between 1 and (2^32)-1.
   *
   * The default value is 3.
   */
  timeCost?: number | undefined | null
  /**
   * The hash length is the length of the hash function output in bytes. Note that the resulting hash is encoded with Base 64, so the digest will be ~1/3 longer.
   *
   * The default value is 32, which produces raw hashes of 32 bytes or digests of 43 characters.
   */
  outputLen?: number | undefined | null
  /**
   * The amount of threads to compute the hash on. Each thread has a memory pool with memoryCost size. Note that changing it also changes the resulting hash.
   *
   * Value is an integer in decimal (1 to 3 digits), between 1 and 255.
   *
   * The default value is 1, meaning a single thread is used.
   */
  parallelism?: number | undefined | null
  algorithm?: Algorithm | undefined | null
  version?: Version | undefined | null
  secret?: Buffer | undefined | null
}
export function hash(
  password: string | Buffer,
  options?: Options | undefined | null,
  abortSignal?: AbortSignal | undefined | null,
): Promise<string>
export function verify(
  hashed: string | Buffer,
  password: string | Buffer,
  options?: Options | undefined | null,
  abortSignal?: AbortSignal | undefined | null,
): Promise<boolean>