Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
argon2-browser
Advanced tools
Argon2 is a password-hashing function, the winner of Password Hashing Competition. Here Argon2 library is compiled for browser runtime.
Time, ms (lower is better) | |
---|---|
Chrome WASM | 225 |
Chrome WASM+SIMD | 119 |
Firefox WASM | 195 |
Firefox WASM+SIMD | 135 |
Safari WASM | 174 |
Native -O3 SSE | 15 |
Native -O3 | 42 |
Native -O1 | 55 |
Native -O0 | 395 |
Environment used to get the numbers above:
Algorithm parameters (-d -t 100 -m 10 -p 1
):
Environment:
ll -h dist
File | Code size, kB |
---|---|
argon2.js | 14 |
argon2.wasm | 25 |
No, it's used a submodule from upstream.
SIMD is not quite here in WebAssembly, however for those who would like to give it a try, we already provide a working build with SIMD. At the moment it works only in Chrome, to be able to use it, you need to either add this origin trial to your website, or enable the SIMD feature in Chrome flags.
More about WebAssembly SIMD support in V8: https://v8.dev/features/simd
On Firefox you need to enable javascript.options.wasm_simd
option in about:config.
To use the SIMD version, load argon2-simd.wasm
instead of argon2.wasm
.
The library can be installed from npm:
npm install argon2-browser
Then add script to your HTML or use your favorite bundler:
<script src="node_modules/argon2-browser/lib/argon2.js"></script>
Calculate the hash:
argon2.hash({ pass: 'password', salt: 'somesalt' })
.then(h => console.log(h.hash, h.hashHex, h.encoded))
.catch(e => console.error(e.message, e.code))
Verify the encoded hash (if you need it):
argon2.verify({ pass: 'password', encoded: 'enc-hash' })
.then(() => console.log('OK'))
.catch(e => console.error(e.message, e.code))
Other parameters:
argon2.hash({
// required
pass: 'password',
salt: 'salt',
// optional
time: 1, // the number of iterations
mem: 1024, // used memory, in KiB
hashLen: 24, // desired hash length
parallelism: 1, // desired parallelism (will be computed in parallel only for PNaCl)
secret: new Uint8Array([...]), // optional secret data
ad: new Uint8Array([...]), // optional associated data
type: argon2.ArgonType.Argon2d, // or argon2.ArgonType.Argon2i
})
// result
.then(res => {
res.hash // hash as Uint8Array
res.hashHex // hash as hex-string
res.encoded // encoded hash, as required by argon2
})
// or error
.catch(err => {
err.message // error message as string, if available
err.code // numeric error code
})
You can use this module in several ways:
Of course you can use generated WASM in node.js, but it's not sensible: you will get much better speed by compiling it as a native node.js addon, which is not that hard. Wait, it's already done, just install this package.
It is! KeeWeb (web-based password manager) is using it as a password hashing function implementation. Check out the source code, if you're interested.
You can build everything with
./build.sh
Prerequisites:
FAQs
Argon2 library compiled for browser runtime
The npm package argon2-browser receives a total of 3,276 weekly downloads. As such, argon2-browser popularity was classified as popular.
We found that argon2-browser demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.