calibrate-bcrypt-rounds
Advanced tools
Calculate bcrypt rounds on the fly rather than hardcoding a specific number
Calculate bcrypt rounds on the fly rather than hardcoding a specific number
$ yarn add calibrate-bcrypt-rounds
import calibrate from 'calibrate-bcrypt-rounds';
import bcrypt from 'bcryptjs';
// Note how the calibrate function is called once, when the module is loaded
const rounds = await calibrate(bcrypt, 241);
export default async function hashPassword(password) {
return bcrypt.hash(password, rounds);
}
Note: using calibrate will help pick the right cost factor every time
you restart or redeploy your app. But it won't update old passwords hashed
with fewer rounds. As you check passwords, you should also check to see if
they need to be rehashed with more rounds to keep them secure, i.e.:
if (await bcrypt.compare(req.body.password, user.hashedPassword)) {
// User has authenticated, now rehash password if needed
if (bcrypt.getRounds(user.hashedPassword) < myAppConfig.bcryptRoundsFromCalibration) {
user.hashedPassword = await bcrypt.hash(req.body.password, myAppConfig.bcryptRoundsFromCalibration);
await user.save();
}
// ...
}
## Motivation
bcrypt is an adaptive hashing function, meaning that it accepts a `cost` (or
`rounds`) parameter determines how much work to perform. When bcrypt was
first released in 1999, the original suggested cost factor was 6. Today
(2018), thanks to faster hardware, that recommendation is now somewhere
between 11 and 14 (each increment of the cost factor doubles the work).
Rather than hardcoding a specific cost factor into your code (which will likely
become out date in a year), you should instead calculate an appropriate cost
factor based on how long you want it to take to calculate.
This module automates that process by running bcrypt with progressively
increasing cost factors until it takes at least as long as you specify to
hash a password.
See [this Security StackExchange answer](https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256/3993#3993)
for more detail.
FAQs
Calculate bcrypt rounds on the fly rather than hardcoding a specific number
The npm package calibrate-bcrypt-rounds receives a total of 3 weekly downloads. As such, calibrate-bcrypt-rounds popularity was classified as not popular.
We found that calibrate-bcrypt-rounds demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Newly introduced telemetry in devenv 1.4 sparked a backlash over privacy concerns, leading to the removal of its AI-powered feature after strong community pushback.
Security News
TC39 met in Seattle and advanced 9 JavaScript proposals, including three to Stage 4, introducing new features and enhancements for a future ECMAScript release.
Security News
Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.