bcryptjs

Optimized bcrypt in plain JavaScript with zero dependencies. Compatible to 'bcrypt'.

Optimized bcrypt in JavaScript with zero dependencies. Compatible to the C++ bcrypt binding on node.js and also working in the browser.

Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. (see)

While bcrypt.js is compatible to the C++ bcrypt binding, it is written in pure JavaScript and thus slower (about 2.7 times), effectively reducing the number of iterations that can be processed in an equal time span.

The maximum input length is 72 bytes (note that UTF8 encoded characters use up to 4 bytes) and the length of generated hashes is 60 characters.

The library is compatible with CommonJS and AMD loaders and is exposed globally as dcodeIO.bcrypt if neither is available.

On node.js, the inbuilt crypto module's randomBytes interface is used to obtain secure random numbers.

npm install bcryptjs

var bcrypt = require('bcryptjs');
...

In the browser, bcrypt.js relies on Web Crypto API's getRandomValues interface to obtain secure random numbers. If no cryptographically secure source of randomness is available, you may specify one through bcrypt.setRandomFallback.

var bcrypt = dcodeIO.bcrypt;
...

or

require.config({
    paths: { "bcrypt": "/path/to/bcrypt.js" }
});
require(["bcrypt"], function(bcrypt) {
    ...
});

To hash a password:

var bcrypt = require('bcryptjs');
var salt = bcrypt.genSaltSync(10);
var hash = bcrypt.hashSync("B4c0/\/", salt);
// Store hash in your password DB. 

To check a password:

// Load hash from your password DB. 
bcrypt.compareSync("B4c0/\/", hash); // true 
bcrypt.compareSync("not_bacon", hash); // false 

Auto-gen a salt and hash:

var hash = bcrypt.hashSync('bacon', 8);

To hash a password:

var bcrypt = require('bcryptjs');
bcrypt.genSalt(10, function(errsalt) {
    bcrypt.hash("B4c0/\/", salt, function(errhash) {
        // Store hash in your password DB. 
    });
});

To check a password:

// Load hash from your password DB. 
bcrypt.compare("B4c0/\/", hash, function(errres) {
    // res == true 
});
bcrypt.compare("not_bacon", hash, function(errres) {
    // res = false 
});

Auto-gen a salt and hash:

bcrypt.hash('bacon', 8, function(errhash) {
});

Sets the pseudo random number generator to use as a fallback if neither node's crypto module nor the Web Crypto API is available. Please note: It is highly important that the PRNG used is cryptographically secure and that it is seeded properly!

ParameterTypeDescription
randomfunction(number):!Array.<number>Function taking the number of bytes to generate as its sole argument, returning the corresponding array of cryptographically secure random byte values.
@seehttp://nodejs.org/api/crypto.html
@seehttp://www.w3.org/TR/WebCryptoAPI/

Hint: You might use isaac.js as a CSPRNG but you still have to make sure to seed it properly.

Synchronously generates a salt.

ParameterTypeDescription
roundsnumberNumber of rounds to use, defaults to 10 if omitted
seed_lengthnumberNot supported.
@returnsstringResulting salt
@throwsErrorIf a random fallback is required but not set

Asynchronously generates a salt.

ParameterTypeDescription
roundsnumber | function(Error, string=)Number of rounds to use, defaults to 10 if omitted
seed_lengthnumber | function(Error, string=)Not supported.
callbackfunction(Error, string=)Callback receiving the error, if any, and the resulting salt

Synchronously generates a hash for the given string.

ParameterTypeDescription
sstringString to hash
saltnumber | stringSalt length to generate or salt to use, default to 10
@returnsstringResulting hash

Asynchronously generates a hash for the given string.

ParameterTypeDescription
sstringString to hash
saltnumber | stringSalt length to generate or salt to use
callbackfunction(Error, string=)Callback receiving the error, if any, and the resulting hash
progressCallbackfunction(number)Callback successively called with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms.

Synchronously tests a string against a hash.

ParameterTypeDescription
sstringString to compare
hashstringHash to test against
@returnsbooleantrue if matching, otherwise false
@throwsErrorIf an argument is illegal

Asynchronously compares the given data against the given hash.

ParameterTypeDescription
sstringData to compare
hashstringData to be compared to
callbackfunction(Error, boolean)Callback receiving the error, if any, otherwise the result
progressCallbackfunction(number)Callback successively called with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms.
@throwsErrorIf the callback argument is invalid

Gets the number of rounds used to encrypt the specified hash.

ParameterTypeDescription
hashstringHash to extract the used number of rounds from
@returnsnumberNumber of rounds used
@throwsErrorIf hash is not a string

Gets the salt portion from a hash. Does not validate the hash.

ParameterTypeDescription
hashstringHash to extract the salt from
@returnsstringExtracted salt part
@throwsErrorIf hash is not a string or otherwise invalid

Usage: bcrypt <input> [salt]

If the input has spaces inside, simply surround it with quotes.

Based on work started by Shane Girish at bcrypt-nodejs (MIT-licensed), which is itself based on javascript-bcrypt (New BSD-licensed).

New-BSD / MIT (see)