Skip to content
/ bcrypt.js Public

Optimized bcrypt in JavaScript with zero dependencies, with TypeScript support.

License

View license
3.6k stars 274 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dcodeIO/bcrypt.js

BranchesTags

Repository files navigation

bcrypt.js

Optimized bcrypt in JavaScript with zero dependencies. Compatible to the C++ bcrypt binding on node.js and also working in the browser.

Build Status Publish Status npm

Security considerations

Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. (see)

While bcrypt.js is compatible to the C++ bcrypt binding, it is written in pure JavaScript and thus slower (about 30%), effectively reducing the number of iterations that can be processed in an equal time span.

The maximum input length is 72 bytes (note that UTF8 encoded characters use up to 4 bytes) and the length of generated hashes is 60 characters.

Usage

The package exports an ECMAScript module with an UMD fallback.

$> npm install bcryptjs

import bcrypt from 'bcryptjs'

Usage with a CDN

  • From GitHub via jsDelivr:
    https://cdn.jsdelivr.net/gh/dcodeIO/bcrypt.js@TAG/index.js (ESM)
  • From npm via jsDelivr:
    https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/index.js (ESM)
    https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/umd/index.js (UMD)
  • From npm via unpkg:
    https://unpkg.com/bcryptjs@VERSION/index.js (ESM)
    https://unpkg.com/bcryptjs@VERSION/umd/index.js (UMD)

Replace TAG respectively VERSION with a specific version or omit it (not recommended in production) to use latest.

Usage - Sync

To hash a password:

const salt = bcrypt.genSaltSync(10)
const hash = bcrypt.hashSync('B4c0/\/', salt)
// Store hash in your password DB

To check a password:

// Load hash from your password DB
bcrypt.compareSync('B4c0/\/', hash) // true
bcrypt.compareSync('not_bacon', hash) // false

Auto-gen a salt and hash:

const hash = bcrypt.hashSync('bacon', 10)

Usage - Async

To hash a password:

const salt = await bcrypt.genSalt(10)
const hash = await bcrypt.hash('B4c0/\/', salt)
// Store hash in your password DB
bcrypt.genSalt(10, (err, salt) => {
    bcrypt.hash('B4c0/\/', salt, function(err, hash) {
        // Store hash in your password DB
    })
})

To check a password:

// Load hash from your password DB
await bcrypt.compare('B4c0/\/', hash) // true
await bcrypt.compare('not_bacon', hash) // false
// Load hash from your password DB
bcrypt.compare('B4c0/\/', hash, (err, res) => {
    // res === true
})
bcrypt.compare('not_bacon', hash, (err, res) => {
    // res === false
})

Auto-gen a salt and hash:

await bcrypt.hash('B4c0/\/', 10)
// Store hash in your password DB
bcrypt.hash('B4c0/\/', 10, (err, hash) => {
    // Store hash in your password DB
})

Note: Under the hood, asynchronous APIs split an operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of the JS event queue, efficiently yielding for other computation to execute.

Usage - Command Line

Usage: bcrypt <input> [rounds|salt]

API

Callback types

  • type Callback<T>: (err: Error | null, result?: T) => void

  • type ProgressCallback: (percentage: number) => void

Functions

  • bcrypt.setRandomFallback(random: (length: number) => number[]): void
    Sets the pseudo random number generator to use as a fallback if neither Node's crypto module nor the Web Crypto API is available. Please note: It is highly important that the PRNG used is cryptographically secure and that it is seeded properly!

  • bcrypt.genSaltSync(rounds?: number): string
    Synchronously generates a salt. Number of rounds defaults to 10 when omitted.

  • bcrypt.genSalt(rounds?: number): Promise<string>
    bcrypt.genSalt(rounds: number, callback: Callback<string>): void
    bcrypt.genSalt(callback: Callback<string>): void
    Asynchronously generates a salt. Number of rounds defaults to 10 when omitted.

  • bcrypt.hashSync(s: string, salt?: number | string): string Synchronously generates a hash for the given string. Number of rounds defaults to 10 when omitted.

  • bcrypt.hash(s: string, salt: number | string): Promise<string>
    bcrypt.hash(s: string, salt: number | string, callback: Callback<string>, progressCallback?: ProgressCallback): void
    Asynchronously generates a hash for the given string. Optionally calls a progress callback with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms.

  • bcrypt.compareSync(s: string, hash: string): boolean
    Synchronously tests a string against a hash.

  • bcrypt.compare(s: string, hash: string): Promise<boolean>
    bcrypt.compare(s: string, hash: string, callback: Callback<boolean>, progressCallback?: ProgressCallback)
    Asynchronously compares a string against a hash. Optionally calls a progress callback with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms.

  • bcrypt.getRounds(hash: string): number
    Gets the number of rounds used to encrypt the specified hash.

  • bcrypt.getSalt(hash: string): string
    Gets the salt portion from a hash. Does not validate the hash.

Credits

Based on work started by Shane Girish at bcrypt-nodejs, which is itself based on javascript-bcrypt (New BSD-licensed).

About

Optimized bcrypt in JavaScript with zero dependencies, with TypeScript support.

Topics

javascript authentication bcrypt

Resources

Readme

License

View license
Activity

Stars

3.6k stars

Watchers

48 watching

Forks

274 forks
Report repository

Releases 8

v3.0.2 Latest
Feb 18, 2025
+ 7 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 10

Languages