Gathering detailed insights and metrics for bcryptjs
Gathering detailed insights and metrics for bcryptjs
Optimized bcrypt in plain JavaScript with zero dependencies.
Installations
npm install bcryptjsScore
98.6
Supply Chain
99.6
Quality
76
Maintenance
100
Vulnerability
99.6
License
Developer
dcodeIO
Developer Guide
BETA
Module System
CommonJS, UMD
Min. Node Version
Typescript Support
No
Node Version
6.9.1
NPM Version
4.0.5
Statistics
3,542 Stars
106 Commits
270 Forks
49 Watching
1 Branches
12 Contributors
Updated on 23 Nov 2024
Bundle Size
21.24 kB
Minified
9.59 kB
Minified + Gzipped
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
392,121,182
Last day
-16%
366,917
Compared to previous day
Last week
-2.1%
2,306,600
Compared to previous week
Last month
2.7%
9,798,769
Compared to previous month
Last year
18.1%
103,244,765
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
5
Versions
bcrypt.js
Optimized bcrypt in JavaScript with zero dependencies. Compatible to the C++ bcrypt binding on node.js and also working in the browser.
Security considerations
Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. (see)
While bcrypt.js is compatible to the C++ bcrypt binding, it is written in pure JavaScript and thus slower (about 30%), effectively reducing the number of iterations that can be processed in an equal time span.
The maximum input length is 72 bytes (note that UTF8 encoded characters use up to 4 bytes) and the length of generated hashes is 60 characters.
Usage
The library is compatible with CommonJS and AMD loaders and is exposed globally as dcodeIO.bcrypt if neither is
available.
node.js
On node.js, the inbuilt crypto module's randomBytes interface is used to obtain secure random numbers.
npm install bcryptjs
1var bcrypt = require('bcryptjs'); 2...
Browser
In the browser, bcrypt.js relies on Web Crypto API's getRandomValues interface to obtain secure random numbers. If no cryptographically secure source of randomness is available, you may specify one through bcrypt.setRandomFallback.
1var bcrypt = dcodeIO.bcrypt; 2...
or
1require.config({ 2 paths: { "bcrypt": "/path/to/bcrypt.js" } 3}); 4require(["bcrypt"], function(bcrypt) { 5 ... 6});
Usage - Sync
To hash a password:
1var bcrypt = require('bcryptjs'); 2var salt = bcrypt.genSaltSync(10); 3var hash = bcrypt.hashSync("B4c0/\/", salt); 4// Store hash in your password DB.
To check a password:
1// Load hash from your password DB. 2bcrypt.compareSync("B4c0/\/", hash); // true 3bcrypt.compareSync("not_bacon", hash); // false
Auto-gen a salt and hash:
1var hash = bcrypt.hashSync('bacon', 8);
Usage - Async
To hash a password:
1var bcrypt = require('bcryptjs'); 2bcrypt.genSalt(10, function(err, salt) { 3 bcrypt.hash("B4c0/\/", salt, function(err, hash) { 4 // Store hash in your password DB. 5 }); 6});
To check a password:
1// Load hash from your password DB. 2bcrypt.compare("B4c0/\/", hash, function(err, res) { 3 // res === true 4}); 5bcrypt.compare("not_bacon", hash, function(err, res) { 6 // res === false 7}); 8 9// As of bcryptjs 2.4.0, compare returns a promise if callback is omitted: 10bcrypt.compare("B4c0/\/", hash).then((res) => { 11 // res === true 12});
Auto-gen a salt and hash:
1bcrypt.hash('bacon', 8, function(err, hash) { 2});
Note: Under the hood, asynchronisation splits a crypto operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of JS event loop queue, thus efficiently sharing the computational resources with the other operations in the queue.
API
setRandomFallback(random)
Sets the pseudo random number generator to use as a fallback if neither node's crypto module nor the Web Crypto
API is available. Please note: It is highly important that the PRNG used is cryptographically secure and that it is
seeded properly!
| Parameter | Type | Description |
|---|---|---|
| random | function(number):!Array.<number> | Function taking the number of bytes to generate as its sole argument, returning the corresponding array of cryptographically secure random byte values. |
| @see | http://nodejs.org/api/crypto.html | |
| @see | http://www.w3.org/TR/WebCryptoAPI/ |
Hint: You might use isaac.js as a CSPRNG but you still have to make sure to seed it properly.
genSaltSync(rounds=, seed_length=)
Synchronously generates a salt.
| Parameter | Type | Description |
|---|---|---|
| rounds | number | Number of rounds to use, defaults to 10 if omitted |
| seed_length | number | Not supported. |
| @returns | string | Resulting salt |
| @throws | Error | If a random fallback is required but not set |
genSalt(rounds=, seed_length=, callback)
Asynchronously generates a salt.
| Parameter | Type | Description |
|---|---|---|
| rounds | number | function(Error, string=) | Number of rounds to use, defaults to 10 if omitted |
| seed_length | number | function(Error, string=) | Not supported. |
| callback | function(Error, string=) | Callback receiving the error, if any, and the resulting salt |
| @returns | Promise | If callback has been omitted |
| @throws | Error | If callback is present but not a function |
hashSync(s, salt=)
Synchronously generates a hash for the given string.
| Parameter | Type | Description |
|---|---|---|
| s | string | String to hash |
| salt | number | string | Salt length to generate or salt to use, default to 10 |
| @returns | string | Resulting hash |
hash(s, salt, callback, progressCallback=)
Asynchronously generates a hash for the given string.
| Parameter | Type | Description |
|---|---|---|
| s | string | String to hash |
| salt | number | string | Salt length to generate or salt to use |
| callback | function(Error, string=) | Callback receiving the error, if any, and the resulting hash |
| progressCallback | function(number) | Callback successively called with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms. |
| @returns | Promise | If callback has been omitted |
| @throws | Error | If callback is present but not a function |
compareSync(s, hash)
Synchronously tests a string against a hash.
| Parameter | Type | Description |
|---|---|---|
| s | string | String to compare |
| hash | string | Hash to test against |
| @returns | boolean | true if matching, otherwise false |
| @throws | Error | If an argument is illegal |
compare(s, hash, callback, progressCallback=)
Asynchronously compares the given data against the given hash.
| Parameter | Type | Description |
|---|---|---|
| s | string | Data to compare |
| hash | string | Data to be compared to |
| callback | function(Error, boolean) | Callback receiving the error, if any, otherwise the result |
| progressCallback | function(number) | Callback successively called with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms. |
| @returns | Promise | If callback has been omitted |
| @throws | Error | If callback is present but not a function |
getRounds(hash)
Gets the number of rounds used to encrypt the specified hash.
| Parameter | Type | Description |
|---|---|---|
| hash | string | Hash to extract the used number of rounds from |
| @returns | number | Number of rounds used |
| @throws | Error | If hash is not a string |
getSalt(hash)
Gets the salt portion from a hash. Does not validate the hash.
| Parameter | Type | Description |
|---|---|---|
| hash | string | Hash to extract the salt from |
| @returns | string | Extracted salt part |
| @throws | Error | If hash is not a string or otherwise invalid |
Command line
Usage: bcrypt <input> [salt]
If the input has spaces inside, simply surround it with quotes.
Downloads
Credits
Based on work started by Shane Girish at bcrypt-nodejs (MIT-licensed), which is itself based on javascript-bcrypt (New BSD-licensed).
License
New-BSD / MIT (see)
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
Found 9/22 approved changesets -- score normalized to 4
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 17 are checked with a SAST tool
Score
3.5
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More