Security News
PyPI Now Supports iOS and Android Wheels for Mobile Python Development
PyPI now supports iOS and Android wheels, making it easier for Python developers to distribute mobile packages.
Hash passwords the right way (Argon2 & bcrypt support)
Hashy is small Node.js library which aims to do passwords hashing the correct way.
It has been heavily inspired by the new PHP password hashing API but, following the Node.js philosophy, hashing is done asynchronously.
Furthermore, to make the interfaces as easy to use as possible, async functions can either be used with callbacks or they return promises which will make them super easy to work with async functions!
Supported algorithms:
The other ones I found were too complicated and/or were missing important features.
The main missing feature is the needRehash()
function: cryptography
is a fast-moving science and algorithms can quickly become obsolete or
their parameters needs to be adjusted to compensate the performance
increase of recent computers (e.g. bcrypt cost
factor).
This is exactly what this function is for: checking whether a hash uses the correct algorithm (and options) to see if we need to compute a new hash for this password.
Installation of the npm package:
> npm install --save hashy
Hashy requires promises support, for Node versions prior to 0.12 see this page to enable them.
First, you may take a look at examples: using callbacks, promises or async functions (requires Node >= 7.6).
hashy.hash(password, function (error, hash) {
if (error) {
return console.log(error);
}
console.log("generated hash: ", hash);
});
hash()
handles additionaly two parameters which may be passed before the callback:
algo
: which algorithm to use, it defaults to 'bcrypt'
;options
: additional options for the current algorithm, for bcrypt
it defaults to {cost: 10}.
.hashy.verify(password, hash, function (error, success) {
if (error) {
return console.error(err);
}
if (success) {
console.log("you are now authenticated!");
} else {
console.warn("invalid password!");
}
});
const info = hashy.getInfo(hash);
As I said earlier, we must be able to check whether the hash is up to date, i.e. if it has been generated by the last algorithm available with the last set of options.
if (hashy.needsRehash(hash)) {
// Rehash.
}
It handles the optional algo
and options
parameters like
hash()
.
The default options for a given algorithm is available at hashy.options[>algo<]
.
// Sets the default cost for bcrypt to 12.
hashy.options.bcrypt.cost = 12;
Same interface as above but without the callbacks!
// Hashing.
hashy.hash(password).then(function (hash) {
console.log('generated hash:' hash)
})
// Checking.
hashy.verify(password, hash).then(function (success) {
if (success) {
console.log('you are now authenticated!')
} else {
console.warn('invalid password!')
}
})
As you can see, you don't even have to handle errors if you don't want to!
Note: only available since Node.js 7.6.
Same interface as promises but much more similar to a synchronous code!
// Hashing.
(async function () {
const hash = await hashy.hash(password);
console.log("generated hash:", hash);
})()(
// Checking.
async function () {
if (await hashy.verify(password, hash)) {
console.log("you are now authenticated!");
} else {
console.warn("invalid password!");
}
},
)();
Contributions are very welcome, either on the documentation or on the code.
You may:
Hashy is released under the MIT license.
FAQs
Hash passwords the right way (Argon2 & bcrypt support)
The npm package hashy receives a total of 860 weekly downloads. As such, hashy popularity was classified as not popular.
We found that hashy demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI now supports iOS and Android wheels, making it easier for Python developers to distribute mobile packages.
Security News
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
Security News
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.