password-hash
Advanced tools
password-hash is a node.js library to simplify use of hashed passwords.
Storing passwords in plain-text is bad. This library makes the storing of passwords (and subsequent validation of) hashed passwords a bit easier.
password-hash provides functions for generating a hashed passwords and verifying a plain-text password against a hashed password. For a bit of added strength, a random salt is generated when the password is hashed. The hashed password contains both the cryptographic algorithm that was used as well the salt, so all that is needed to verify a plain-text password is the hashed password itself.
npm install password-hash
Generates a hash of the required password argument. Hashing behavior can be modified with the optional options object:
algorithm - A valid cryptographic algorithm for use with the crypto.createHmac function, defaults to 'sha1'.saltLength - The length of the salt that will be generated when the password is hashed, defaults to 8.iterations - The number of times the hashing algorithm should be applied, defaults to 1.Errors are thrown if:
password is not a stringoptions.algorithm is specified but not a valid cryptographic algorithmoptions.saltLength is specified but not a positive integerThe hashed password will be in the format algorithm$salt$hash.
Example:
var passwordHash = require('password-hash');
var hashedPassword = passwordHash.generate('password123');
console.log(hashedPassword); // sha1$3I7HRwy7$cbfdac6008f9cab4083784cbd1874f76618d2a97
Compares a plain-text password (password) to a hashed password (hashedPassword) and returns a boolean. Both arguments are required.
Example:
var passwordHash = require('./lib/password-hash');
var hashedPassword = 'sha1$3I7HRwy7$cbfdac6008f9cab4083784cbd1874f76618d2a97';
console.log(passwordHash.verify('password123', hashedPassword)); // true
console.log(passwordHash.verify('Password0', hashedPassword)); // false
Check if a password (password) is hashed. Returns a boolean.
Example:
var passwordHash = require('./lib/password-hash');
var hashedPassword = 'sha1$3I7HRwy7$cbfdac6008f9cab4083784cbd1874f76618d2a97';
console.log(passwordHash.isHashed('password123')); // false
console.log(passwordHash.isHashed(hashedPassword)); // true
node 0.5.8 introduced crypto.randomBytes, which generates cryptographically strong pseudo-random data. If the version of node supports crypto.randomBytes it is used to generate the salt, otherwise Math.random, which is not cryptographically strong, is used. This is handled transparently within the salt generation function and does not impact the module's API.
password-hash is inspired by the password hashing found in Werkzeug.
FAQs
Password hashing and verification for node.js
The npm package password-hash receives a total of 27,639 weekly downloads. As such, password-hash popularity was classified as popular.
We found that password-hash demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Meet Socket at Black Hat & DEF CON 2025 for 1:1s, insider security talks at Allegiant Stadium, and a private dinner with top minds in software supply chain security.
Security News
CAI is a new open source AI framework that automates penetration testing tasks like scanning and exploitation up to 3,600× faster than humans.
Security News
Deno 2.4 brings back bundling, improves dependency updates and telemetry, and makes the runtime more practical for real-world JavaScript projects.