The argon2 npm package is a library for hashing passwords using the Argon2 algorithm, which is a modern, secure, and memory-hard hashing algorithm. It is designed to be resistant to GPU cracking attacks and is considered one of the most secure password hashing algorithms available.
Hashing a password
This feature allows you to hash a password using the Argon2 algorithm. The hash function takes a plain text password and returns a hashed version of it.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
console.log(hash);
} catch (err) {
console.error(err);
}
})();Verifying a password
This feature allows you to verify a password against a previously hashed password. The verify function takes a hash and a plain text password and returns a boolean indicating whether the password matches the hash.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
const isMatch = await argon2.verify(hash, 'password');
console.log(isMatch); // true
} catch (err) {
console.error(err);
}
})();Configuring hashing options
This feature allows you to configure various options for the hashing process, such as the type of Argon2 algorithm to use (argon2d, argon2i, or argon2id), memory cost, time cost, and parallelism.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password', {
type: argon2.argon2id,
memoryCost: 2 ** 16,
timeCost: 5,
parallelism: 1
});
console.log(hash);
} catch (err) {
console.error(err);
}
})();bcrypt is a popular password hashing library that uses the bcrypt algorithm. It is widely used and has been around for a long time. While bcrypt is still considered secure, Argon2 is generally considered to be more secure due to its resistance to GPU cracking attacks and its memory-hard properties.
pbkdf2 is a password hashing library that uses the PBKDF2 algorithm. It is part of the cryptographic library in Node.js and is widely used. However, PBKDF2 is not memory-hard and is considered less secure than Argon2 for password hashing purposes.
scrypt is a password hashing library that uses the scrypt algorithm. It is designed to be memory-hard and is considered secure. However, Argon2 is generally considered to be more secure and efficient than scrypt, and it has been recommended by various security experts and organizations.
Bindings to the reference Argon2 implementation.
Want to use it on command line? Instead check node-argon2-cli.
It's possible to hash a password using both Argon2i (default) Argon2d and Argon2id, sync and async, and to verify if a password matches a hash.
To hash a password:
const argon2 = require('argon2');
argon2.hash('password').then(hash => {
// ...
}).catch(err => {
// ...
});
// ES7 or TypeScript
try {
const hash = await argon2.hash("password");
} catch (err) {
//...
}
You can choose between Argon2i, Argon2d and Argon2id by passing an object as the third
argument with the type key set to which type you want to use:
argon2.hash('password', {
type: argon2.argon2d
}).then(hash => {
// ...
}).catch(err => {
// internal failure
});
// ES7 or TypeScript
try {
const hash = await argon2.hash('password', {
type: argon2.argon2d
});
} catch (err) {
// internal failure
}
The type option is flexible and accepts 0, 1 or 2 for Argon2d, Argon2i and Argon2id respectively.
You can also get the hash as a raw Node Buffer by passing 'true' to the 'raw' option:
argon2.hash('password', {
raw: true
}).then(hash => {
// ... hash is a Buffer
}).catch(err => {
// internal failure
});
// ES7 or TypeScript
try {
const hash = await argon2.hash('password', {
raw: true
});
} catch (err) {
// internal failure
}
You can change the Promise with any-promise. Try using Bluebird or Q for enhanced functionality.
You can also modify time, memory and parallelism constraints passing the object
as the third parameter, with keys timeCost, memoryCost and parallelism,
respectively defaulted to 3, 12 (meaning 2^12 KiB) and 1 (threads):
const options = {
timeCost: 4, memoryCost: 13, parallelism: 2, type: argon2.argon2d
};
argon2.hash('password', options).then(hash => {
// ...
});
// ES7 or TypeScript
const hash = await argon2.hash("password", options);
The default parameters for Argon2 can be accessed with defaults:
console.log(argon2.defaults);
// => { timeCost: 3, memoryCost: 12, parallelism: 1, type: argon2.argon2i }
To verify a password:
argon2.verify('<big long hash>', 'password').then(match => {
if (match) {
// password match
} else {
// password did not match
}
}).catch(err => {
// internal failure
});
// ES7 or TypeScript
try {
if (await argon2.verify("<big long hash>", "password")) {
// password match
} else {
// password did not match
}
} catch (err) {
// internal failure
}
First parameter must have been generated by an Argon2 encoded hashing method, not raw.
When you hit an internal failure, the message is properly set. If it is not or you do not understand it, feel free to open an issue.
A TypeScript type declaration file is published with this module. If you are using TypeScript >= 2.0.0 that means you do not need to install any additional typings in order to get access to the strongly typed interface. Simply use the library as mentioned above. This library uses Promises, so make sure you are targeting ES6+, including the es2015.promise lib in your build, or globally importing a Promise typings library.
Some example tsconfig.json compiler options:
{
"compilerOptions": {
"lib": ["es2015.promise"]
}
}
or
{
"compilerOptions": {
"target": "es6"
}
}
import * as argon2 from "argon2";
const hash = await argon2.hash(..);
This library is implemented natively, meaning it is an extension to the node engine. Thus, half of the code are C++ bindings, the other half are Javascript functions. node-argon2-ffi uses ffi, a mechanism to call functions from one language in another, and handles the type bindings (e.g. JS Number -> C++ int).
The interface of both are very similar, notably node-argon2-ffi splits the argon2i and argon2d function set, but this module also has the argon2id option. Also, while node-argon2-ffi suggests you promisify `crypto.randomBytes, this library does that internally.
Performance-wise, the libraries are equal. You can run the same benchmark suite if you are curious, but both can perform around 130 hashes/second on an Intel Core i5-4460 @ 3.2GHz with default options.
You MUST have a node-gyp global install before proceeding with install, along with GCC >= 4.8 / Clang >= 3.3. On Windows, you must compile under Visual Studio 2015 or newer.
node-argon2 works only and is tested against Node >=4.0.0.
To install GCC >= 4.8 on OSX, use homebrew:
$ brew install gcc
Once you've got GCC installed and ready to run, you then need to install node-gyp, you must do this globally:
$ npm install -g node-gyp
Finally, once node-gyp is installed and ready to go, you can install this library, specifying the GCC or Clang binary to use:
$ CXX=g++-6 npm install argon2
NOTE: If your GCC or Clang binary is named something different than g++-6,
you'll need to specify that in the command.
Work licensed under the MIT License. Please check [P-H-C/phc-winner-argon2] (https://github.com/P-H-C/phc-winner-argon2) for license over Argon2 and the reference implementation.
FAQs
An Argon2 library for Node
The npm package argon2 receives a total of 141,376 weekly downloads. As such, argon2 popularity was classified as popular.
We found that argon2 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.