What is argon2?
The argon2 npm package is a library for hashing passwords using the Argon2 algorithm, which is a modern, secure, and memory-hard hashing algorithm. It is designed to be resistant to GPU cracking attacks and is considered one of the most secure password hashing algorithms available.
What are argon2's main functionalities?
Hashing a password
This feature allows you to hash a password using the Argon2 algorithm. The hash function takes a plain text password and returns a hashed version of it.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
console.log(hash);
} catch (err) {
console.error(err);
}
})();
Verifying a password
This feature allows you to verify a password against a previously hashed password. The verify function takes a hash and a plain text password and returns a boolean indicating whether the password matches the hash.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
const isMatch = await argon2.verify(hash, 'password');
console.log(isMatch); // true
} catch (err) {
console.error(err);
}
})();
Configuring hashing options
This feature allows you to configure various options for the hashing process, such as the type of Argon2 algorithm to use (argon2d, argon2i, or argon2id), memory cost, time cost, and parallelism.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password', {
type: argon2.argon2id,
memoryCost: 2 ** 16,
timeCost: 5,
parallelism: 1
});
console.log(hash);
} catch (err) {
console.error(err);
}
})();
Other packages similar to argon2
bcrypt
bcrypt is a popular password hashing library that uses the bcrypt algorithm. It is widely used and has been around for a long time. While bcrypt is still considered secure, Argon2 is generally considered to be more secure due to its resistance to GPU cracking attacks and its memory-hard properties.
pbkdf2
pbkdf2 is a password hashing library that uses the PBKDF2 algorithm. It is part of the cryptographic library in Node.js and is widely used. However, PBKDF2 is not memory-hard and is considered less secure than Argon2 for password hashing purposes.
scrypt
scrypt is a password hashing library that uses the scrypt algorithm. It is designed to be memory-hard and is considered secure. However, Argon2 is generally considered to be more secure and efficient than scrypt, and it has been recommended by various security experts and organizations.
node-argon2
Bindings to the reference Argon2
implementation.
Want to use it on the command line? Instead check
node-argon2-cli.
Usage
It's possible to hash using either Argon2i, Argon2d or Argon2id (default), and
verify if a password matches a hash.
To hash a password:
const argon2 = require('argon2');
try {
const hash = await argon2.hash("password");
} catch (err) {
}
To see how you can modify the output (hash length, encoding) and parameters
(time cost, memory cost and parallelism),
read the wiki
To verify a password:
try {
if (await argon2.verify("<big long hash>", "password")) {
} else {
}
} catch (err) {
}
Migrating from another hash function
See this article on the wiki for steps on how to migrate your existing code to Argon2. It's easy!
TypeScript usage
A TypeScript type declaration file is published with this module. If you are
using TypeScript 2.0.0 or later, that means you do not need to install any
additional typings in order to get access to the strongly typed interface.
Simply use the library as mentioned above.
import * as argon2 from "argon2";
const hash = await argon2.hash(..);
Prebuilt binaries
node-argon2 provides prebuilt binaries from v0.26.0
onwards. They are
built every release using GitHub Actions.
The current prebuilt binaries are built and tested with the following systems:
- Ubuntu 20.04 (x86-64; ARM64 from v0.28.2)
- MacOS 11 (x86-64)
- MacOS 12 (ARM64 from v0.29.0)
- Windows Server 2019 (x86-64)
- Alpine Linux 3.13 (x86-64 from v0.28.1; ARM64 from v0.28.2)
- FreeBSD 13.1 (x86-64 from v0.29.1)
Binaries should also work for any version more recent than the ones listed
above. For example, the binary for Ubuntu 20.04 also works on Ubuntu 22.04, or
any other Linux system that ships a newer version of glibc; the binary for
MacOS 11 also works on MacOS 12. If your platform is below the above
requirements, you can follow the Before installing
section below to manually compile from source. It is also always recommended to
build from source to ensure consistency of the compiled module.
Before installing
You can skip this section if the prebuilt binaries work for you.
You MUST have a node-gyp global install before proceeding with the install,
along with GCC >= 5 / Clang >= 3.3. On Windows, you must compile under Visual
Studio 2015 or newer.
node-argon2 works only and is tested against Node >=14.0.0.
OSX
To install GCC >= 5 on OSX, use homebrew:
$ brew install gcc
Once you've got GCC installed and ready to run, you then need to install
node-gyp, you must do this globally:
$ npm install -g node-gyp
Finally, once node-gyp is installed and ready to go, you can install this
library, specifying the GCC or Clang binary to use:
$ CXX=g++-12 npm install argon2
NOTE: If your GCC or Clang binary is named something different than g++-12
,
you'll need to specify that in the command.
FAQ
How do I manually rebuild the binaries?
$ npx @mapbox/node-pre-gyp rebuild -C ./node_modules/argon2
Run @mapbox/node-pre-gyp
instead of node-gyp
because node-argon2's
binding.gyp
file relies on variables from @mapbox/node-pre-gyp
.
You can omit npx @mapbox
and use just node-pre-gyp
if you have a global
installation of @mapbox/node-pre-gyp
, otherwise prefixing npx
will use
the local one in ./node_modules/.bin
How do I skip installing prebuilt binaries and manually compile from source?
You can do either of the two methods below:
- Force build from source on install.
$ npm install argon2 --build-from-source
- Ignore
node-argon2
install script and build manually.
$ npm install argon2 --ignore-scripts
$ npx @mapbox/node-pre-gyp rebuild -C ./node_modules/argon2
I installed Node as a snap, and I can't install node-argon2.
This seems to be an issue related to snap (see #345 (comment)). Installing Node with another package manager, such as asdf or nvm, is a possible workaround.
The interface of both are very similar, notably, node-argon2-ffi splits the
argon2i and argon2d function set, but this module also has the argon2id option,
which node-argon2-ffi does not support. Also, while node-argon2-ffi
suggests you promisify crypto.randomBytes
, node-argon2 library does that
internally.
node-argon2 is much lighter than node-argon2-ffi, at 184 KB for
argon2@0.29.1 against 2.56 MB for argon2-ffi@1.2.0. Performance-wise, the
libraries are equal. You can run the same benchmark suite if you are curious,
but both can perform around 130 hashes/second on an Intel Core i5-4460 @ 3.2GHz
with default options.
This library is implemented natively, meaning it is an extension to the node
engine. Thus, half of the code is C++ bindings, the other half is Javascript
functions. node-argon2-ffi uses ffi, a mechanism to call functions from one
language in another, and handles the type bindings (e.g. JS Number -> C++ int).
Contributors
Code contributors
This project exists thanks to all the people who contribute. [Contribute].
Financial contributors
Become a financial contributor and help us sustain our community. [Contribute]
Individuals
Organizations
Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]
License
Work licensed under the MIT License. Please check
P-H-C/phc-winner-argon2 for
license over Argon2 and the reference implementation.