s-salt-pepper
Advanced tools
npm install s-salt-pepper
Generate a password hash with a salt when a user signs up:
var password = require('s-salt-pepper');
// configure once
password.configure({
pepper: 'your random string goes here'
});
// hash a string 'foo' and save returned salt and hash to (fake) user
password.hash('foo', function(err, salt, hash) {
if (err) {
// handle error
}
user.salt = salt;
user.hash = hash;
});
Compare hashes when user logs in:
password.compare('foo', user.salt, function(err, hash) {
if (user.hash === hash) {
// it worked, password 'foo' was correct
}
});
S-salt-pepper is based on node-pwd and usage is almost identical. This is more secure in the case that the database is compromised, but not the server, as part of the salt (the pepper) is saved on the server.
Important: you must set your own pepper. Do not leave this to the default.
The following can be configured:
password.configure({
hashLength: 256, // bytes of pbkdf2 hash
saltLength: 128, // number of random bytes for salt
pepper: 'something secret' // your unique pepper, to be concatenated with salt when comparing passwords
});
You can configure the length of the final hash and salt hashlength and saltLength in bytes (before base64 conversion, roughly 3/4 of final length). The pepper is concatenated to to the salt then hashed.
Copyright (c) 2015, Sebastian Sandqvist s.github@sparque.me
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
FAQs
Password hashing (via pbkdf2) with salt and pepper
The npm package s-salt-pepper receives a total of 22 weekly downloads. As such, s-salt-pepper popularity was classified as not popular.
We found that s-salt-pepper demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.