php-passwd
Verify password hashed generated in PHP, and hash passwords in the same format.
Designed to be future proof for new hashing algorithms.
php-passwd
is a solution for every kind of webapp which has a user database with passwords hashed with PHP's password_hash. Instead of starting from scratch, just use this package to get compatibility with PHP.
Installation
yarn add php-passwd
Usage
import php_password from 'php-passwd'; const hash = php_password.hash('password123');// php_password.hash(password, [algorithm], [options]);
Output:
"$2y$10$8mNOnsos8qo4qHLcd32zrOg7gmyvfZ6/o9.2nsP/u6TRbrANdLREy"
If algorithm isn't defined, "PASSWORD_DEFAULT" will be used
If no options is supplied, a cryptographically secure salt will be generated with the minimum recommended cost value.
To verify a password against an existing hash in a database o.l:
import php_password from 'php-passwd';const hash = "$2y$10$8mNOnsos8qo4qHLcd32zrOg7gmyvfZ6/o9.2nsP/u6TRbrANdLREy"; if (php_password.verify('password123', hash)){ // Authentication OK} else { // Authentication FAILED}
Options
import php_password from 'php-passwd'; /* * Valid algorithms are "PASSWORD_DEFAULT", and "PASSWORD_BCRYPT" * "PASSWORD_DEFAULT" is just an alias to "PASSWORD_BCRYPT", to be more * compatible with PHP */const hash = php_password.hash('password123', 'PASSWORD_DEFAULT', { cost: 10, salt: 'qwertyuiopasdfghjklzxc'});
Output:
"$2y$10$qwertyuiopasdfghjklzxO3U1f6PD/l04UrnxUgya51pjyLtkGNQi"
WARNING It is not recommended to generate a salt manually. The default salt that is generated is a tested, and proven cryptographically secure value. Use this option with care. The cost value should be set to a value that makes the hashing take at least 50ms.
Check if password needs rehash
If you have a mix of passwords hashed with different algorithms (md5, sha256, etc...), or with a different cost value, you can check if they comply with your password policy by checking if they need a rehash. If they do, you can prompt your user to update their password.
import php_password from 'php-passwd';const user_password = 'password123';const hash = php_password.hash(user_password, 'PASSWORD_DEFAULT', { cost: 10 }); if (php_password.verify(user_password, hash){ if (php_password.needsRehash(hash, 'PASSWORD_DEFAULT', { cost: 11 }) { // Password needs to be rehashed hash = php_password.hash(user_password, 'PASSWORD_DEFAULT', { cost: 11 }); }}