Product
Introducing Webhook Events for Alert Changes
Add real-time Socket webhook events to your workflows to automatically receive software supply chain alert changes in real time.
By Phil Gates-Idem -  Nov 21, 2025
🚀 DAY 5 OF LAUNCH WEEK:Introducing Webhook Events for Alert Changes.Learn more →
bcrypt-pbkdf
Advanced tools
Port of the OpenBSD bcrypt_pbkdf function to pure Javascript. npm-ified
version of Devi Mandiri's port,
with some minor performance improvements. The code is copied verbatim (and
un-styled) from Devi's work.
This product includes software developed by Niels Provos.
API
bcrypt_pbkdf.pbkdf(pass, passlen, salt, saltlen, key, keylen, rounds)
Derive a cryptographic key of arbitrary length from a given password and salt,
using the OpenBSD bcrypt_pbkdf function. This is a combination of Blowfish and
SHA-512.
See this article for further information.
Parameters:
pass, a Uint8Array of lengthpasslenpasslen, an integer Numbersalt, a Uint8Array of lengthsaltlensaltlen, an integer Numberkey, a Uint8Array of lengthkeylen, will be filled with outputkeylen, an integer Numberrounds, an integer Number, number of rounds of the PBKDF to run
bcrypt_pbkdf.hash(sha2pass, sha2salt, out)
Calculate a Blowfish hash, given SHA2-512 output of a password and salt. Used as part of the inner round function in the PBKDF.
Parameters:
sha2pass, a Uint8Array of length 64sha2salt, a Uint8Array of length 64out, a Uint8Array of length 32, will be filled with output
License
This source form is a 1:1 port from the OpenBSD blowfish.c and bcrypt_pbkdf.c.
As a result, it retains the original copyright and license. The two files are
under slightly different (but compatible) licenses, and are here combined in
one file. For each of the full license texts see LICENSE.
Other packages similar to bcrypt-pbkdf
pbkdf2
The pbkdf2 package is a pure JavaScript implementation of PBKDF2 (Password-Based Key Derivation Function 2). It is similar to bcrypt-pbkdf in that it provides functionality for securely deriving keys from passwords. However, pbkdf2 does not use bcrypt as its pseudorandom function, which may make it less resistant to brute-force attacks compared to bcrypt-pbkdf.
argon2
Argon2 is another key derivation function that won the Password Hashing Competition and is considered one of the most secure options for password hashing and key derivation. Unlike bcrypt-pbkdf, which uses bcrypt in its PBKDF2 implementation, Argon2 has its own unique algorithm designed to be highly resistant against brute-force attacks. It offers configurable memory, CPU, and parallelism to make it difficult for attackers to optimize their attack.
FAQs
Port of the OpenBSD bcrypt_pbkdf function to pure JS
The npm package bcrypt-pbkdf receives a total of 18,147,908 weekly downloads. As such, bcrypt-pbkdf popularity was classified as popular.
We found that bcrypt-pbkdf demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Package last updated on 29 Jun 2018
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ENISA Becomes a CVE Root, Expanding Its Role in Europe’s Vulnerability Ecosystem
ENISA has become a CVE Program Root, giving the EU a central authority for coordinating vulnerability reporting, disclosure, and cross-border response.
By Sarah Gooding -  Nov 21, 2025
Product
Introducing Socket Scanning for OpenVSX Extensions
Socket now scans OpenVSX extensions, giving teams early detection of risky behaviors, hidden capabilities, and supply chain threats in developer tools.
By Mix Irving, Ryan Eberhardt -  Nov 20, 2025