What is argon2?
The argon2 npm package is a library for hashing passwords using the Argon2 algorithm, which is a modern, secure, and memory-hard hashing algorithm. It is designed to be resistant to GPU cracking attacks and is considered one of the most secure password hashing algorithms available.
What are argon2's main functionalities?
Hashing a password
This feature allows you to hash a password using the Argon2 algorithm. The hash function takes a plain text password and returns a hashed version of it.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
console.log(hash);
} catch (err) {
console.error(err);
}
})();
Verifying a password
This feature allows you to verify a password against a previously hashed password. The verify function takes a hash and a plain text password and returns a boolean indicating whether the password matches the hash.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
const isMatch = await argon2.verify(hash, 'password');
console.log(isMatch); // true
} catch (err) {
console.error(err);
}
})();
Configuring hashing options
This feature allows you to configure various options for the hashing process, such as the type of Argon2 algorithm to use (argon2d, argon2i, or argon2id), memory cost, time cost, and parallelism.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password', {
type: argon2.argon2id,
memoryCost: 2 ** 16,
timeCost: 5,
parallelism: 1
});
console.log(hash);
} catch (err) {
console.error(err);
}
})();
Other packages similar to argon2
bcrypt
bcrypt is a popular password hashing library that uses the bcrypt algorithm. It is widely used and has been around for a long time. While bcrypt is still considered secure, Argon2 is generally considered to be more secure due to its resistance to GPU cracking attacks and its memory-hard properties.
pbkdf2
pbkdf2 is a password hashing library that uses the PBKDF2 algorithm. It is part of the cryptographic library in Node.js and is widely used. However, PBKDF2 is not memory-hard and is considered less secure than Argon2 for password hashing purposes.
scrypt
scrypt is a password hashing library that uses the scrypt algorithm. It is designed to be memory-hard and is considered secure. However, Argon2 is generally considered to be more secure and efficient than scrypt, and it has been recommended by various security experts and organizations.
node-argon2
Bindings to the reference Argon2
implementation.
Want to use it on command line? Instead check
node-argon2-cli.
Before installing
You MUST have a node-gyp global install before proceeding with install,
along with GCC >= 4.8 / Clang >= 3.3. On Windows, you must compile under Visual
Studio 2015 or newer.
node-argon2 works only and is tested against Node >=4.0.0.
OSX
To install GCC >= 4.8 on OSX, use homebrew:
$ brew install gcc
Once you've got GCC installed and ready to run, you then need to install
node-gyp, you must do this globally:
$ npm install -g node-gyp
Finally, once node-gyp is installed and ready to go, you can install this
library, specifying the GCC or Clang binary to use:
$ CXX=g++-5 npm install argon2
NOTE: If your GCC or Clang binary is named something different than g++-5
,
you'll need to specify that in the command.
Usage
It's possible to hash a password using both Argon2i (default) and Argon2d, sync
and async, and to verify if a password matches a hash, and also generate random
cryptographically-safe salts. Salts must be at least 8-byte long buffers.
To hash a password:
const argon2 = require('argon2');
const salt = new Buffer('somesalt');
argon2.hash('password', salt).then(hash => {
}).catch(err => {
});
try {
const hash = argon2.hashSync('password', salt);
} catch (err) {
}
try {
const hash = await argon2.hash('password', salt);
} catch (err) {
}
You can choose between Argon2i and Argon2d by passing an object as the third
argument with the argon2d
key set to whether or not you want Argon2d:
argon2.hash('password', salt, {
argon2d: true
}.then(hash => {
});
try {
const hash = argon2.hashSync('password', salt, {
argon2d: true
});
} catch (err) {
}
try {
const hash = await argon2.hash('password', salt, {
argon2d: true
});
} catch (err) {
}
The argon2d
option is flexible and accepts any truthy or falsy values.
You can provide your own salt as the second parameter. It is highly
recommended to use the salt generating methods instead of a hardcoded, constant
salt:
argon2.generateSalt().then(salt => {
});
var salt = argon2.generateSaltSync();
const salt = await argon2.generateSalt();
You can also pass a desired salt length as parameter. Although the default of 16
is enough and very safe, Argon2 will use all salt bytes.
argon2.generateSalt(32).then(salt => {
});
var salt = argon2.generateSaltSync(32);
const salt = await argon2.generateSalt(32);
Please keep in mind synchronous salt generation is blocking, since it waits for
entropy when enough is not available, so please refrain from using sync version.
You can also modify time, memory and parallelism constraints passing the object
as the third parameter, with keys timeCost
, memoryCost
and parallelism
,
respectively defaulted to 3, 12 (meaning 2^12 KB) and 1 (threads):
const options = {
timeCost: 4, memoryCost: 13, parallelism: 2, argon2d: true
};
argon2.generateSalt().then(salt => {
argon2.hash('password', salt, options).then(hash => {
});
});
var hash = argon2.hashSync('password', argon2.generateSaltSync(), options);
var hash = await argon2.hash('password', await argon2.generateSalt(), options);
The default parameters for Argon2 can be accessed with defaults
:
console.log(argon2.defaults);
To verify a password:
argon2.verify('<big long hash>', 'password').then(() => {
}).catch(() => {
});
if (argon2.verifySync('<big long hash>', 'password')) {
} else {
}
try {
await argon2.verify('<big long hash>', 'password');
} catch (err) {
}
First parameter must have been generated by an Argon2 encoded hashing method,
not raw.
License
Work licensed under the MIT License. Please check
[P-H-C/phc-winner-argon2] (https://github.com/P-H-C/phc-winner-argon2) for
license over Argon2 and the reference implementation.