Security News
The Unpaid Backbone of Open Source: Solo Maintainers Face Increasing Security Demands
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
The argon2 npm package is a library for hashing passwords using the Argon2 algorithm, which is a modern, secure, and memory-hard hashing algorithm. It is designed to be resistant to GPU cracking attacks and is considered one of the most secure password hashing algorithms available.
Hashing a password
This feature allows you to hash a password using the Argon2 algorithm. The hash function takes a plain text password and returns a hashed version of it.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
console.log(hash);
} catch (err) {
console.error(err);
}
})();
Verifying a password
This feature allows you to verify a password against a previously hashed password. The verify function takes a hash and a plain text password and returns a boolean indicating whether the password matches the hash.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password');
const isMatch = await argon2.verify(hash, 'password');
console.log(isMatch); // true
} catch (err) {
console.error(err);
}
})();
Configuring hashing options
This feature allows you to configure various options for the hashing process, such as the type of Argon2 algorithm to use (argon2d, argon2i, or argon2id), memory cost, time cost, and parallelism.
const argon2 = require('argon2');
(async () => {
try {
const hash = await argon2.hash('password', {
type: argon2.argon2id,
memoryCost: 2 ** 16,
timeCost: 5,
parallelism: 1
});
console.log(hash);
} catch (err) {
console.error(err);
}
})();
bcrypt is a popular password hashing library that uses the bcrypt algorithm. It is widely used and has been around for a long time. While bcrypt is still considered secure, Argon2 is generally considered to be more secure due to its resistance to GPU cracking attacks and its memory-hard properties.
pbkdf2 is a password hashing library that uses the PBKDF2 algorithm. It is part of the cryptographic library in Node.js and is widely used. However, PBKDF2 is not memory-hard and is considered less secure than Argon2 for password hashing purposes.
scrypt is a password hashing library that uses the scrypt algorithm. It is designed to be memory-hard and is considered secure. However, Argon2 is generally considered to be more secure and efficient than scrypt, and it has been recommended by various security experts and organizations.
Bindings to the reference Argon2 implementation.
You MUST have a node-gyp global install before proceeding with install. node-argon2 works only and is tested against >=4.0.0 .
It's possible to hash a password using both Argon2i (default) and Argon2d, sync and async, and to verify if a password matches a hash, and also generate random cryptographically-safe salts. Salts must be exactly 16-byte long buffers but strings will automatically be converted (this is deprecated and should NOT be relied upon).
To hash a password:
var argon2 = require('argon2');
argon2.hash('password', 'somesalt', function (err, hash) {
if (err) // hashing failure
throw err;
doSomethingWith(hash);
});
// OR
try {
var hash = argon2.hashSync('password', 'somesaltwith16ch');
} catch (err) {
console.log(err);
}
Resultant hashes will be 90 characters long. You can choose between Argon2i and
Argon2d by passing an object as the third argument with the argon2d
key set to
whether or not you want Argon2d:
var argon2 = require('argon2');
argon2.hash('password', 'somesalt', {
argon2d: true
}, function (err, hash) {
// ...
});
// OR
try {
var hash = argon2.hashSync('password', 'somesaltwith16ch', {
argon2d: true
});
} catch (err) {
// ...
}
The argon2d
option is flexible and accepts any truthy or falsy values.
You can provide your own salt as the second parameter. It is recommended to use the salt generating methods instead of a hardcoded, constant salt:
var argon2 = require('argon2');
argon2.generateSalt(function (err, salt) {
doSomethingWith(salt);
});
// OR
var salt = argon2.generateSaltSync();
You can also modify time, memory and parallelism constraints passing the object
as the third parameter, with keys timeCost
, memoryCost
and parallelism
,
respectively defaulted to 3, 12 (meaning 2^12 KB) and 1 (threads):
var argon2 = require('argon2');
argon2.generateSalt(function (err, salt) {
argon2.hash('password', salt, {
timeCost: 4, memoryCost: 13, parallelism: 2
}, function (err, hash) {
// ...
});
});
// OR
var hash = argon2.hashSync('password', argon2.generateSaltSync(), {
timeCost: 4, memoryCost: 13, parallelism: 2
});
The default parameters for Argon2 can be accessed with defaults
:
var argon2 = require('argon2');
console.log(argon2.defaults);
// => { timeCost: 3, memoryCost: 12, parallelism: 1, argon2d: false }
To verify a password:
var argon2 = require('argon2');
argon2.verify('<big long hash>', 'password', function (err) {
if (err) // password did not match
throw err;
authenticate();
});
// OR
if (argon2.verifySync('<big long hash>', 'password')) {
authenticate();
} else {
fail();
}
First parameter must have been generated by an Argon2 encoded hashing method, not raw.
Work licensed under the MIT License. Please check [P-H-C/phc-winner-argon2] (https://github.com/P-H-C/phc-winner-argon2) for license over Argon2 and the reference implementation.
FAQs
An Argon2 library for Node
We found that argon2 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.