npm
Sign UpSign In

php-passwd
TypeScript icon, indicating that this package has built-in type declarations

1.0.0 • Public • Published

php-passwd

Verify password hashed generated in PHP, and hash passwords in the same format.

Designed to be future proof for new hashing algorithms.

php-passwd is a solution for every kind of webapp which has a user database with passwords hashed with PHP's password_hash. Instead of starting from scratch, just use this package to get compatibility with PHP.

Installation

yarn add php-passwd

Usage

import php_password from 'php-passwd';
 
const hash = php_password.hash('password123');
// php_password.hash(password, [algorithm], [options]);

Output:

"$2y$10$8mNOnsos8qo4qHLcd32zrOg7gmyvfZ6/o9.2nsP/u6TRbrANdLREy"

If algorithm isn't defined, "PASSWORD_DEFAULT" will be used

If no options is supplied, a cryptographically secure salt will be generated with the minimum recommended cost value.

To verify a password against an existing hash in a database o.l:

import php_password from 'php-passwd';
const hash = "$2y$10$8mNOnsos8qo4qHLcd32zrOg7gmyvfZ6/o9.2nsP/u6TRbrANdLREy";
 
if (php_password.verify('password123', hash)){
   // Authentication OK
} else {
   // Authentication FAILED
}

Options

import php_password from 'php-passwd';
 
/*
 * Valid algorithms are "PASSWORD_DEFAULT", and "PASSWORD_BCRYPT"
 * "PASSWORD_DEFAULT" is just an alias to "PASSWORD_BCRYPT", to be more
 * compatible with PHP
 */
const hash = php_password.hash('password123', 'PASSWORD_DEFAULT', {
   cost: 10,
   salt: 'qwertyuiopasdfghjklzxc'
});

Output:

"$2y$10$qwertyuiopasdfghjklzxO3U1f6PD/l04UrnxUgya51pjyLtkGNQi"

WARNING It is not recommended to generate a salt manually. The default salt that is generated is a tested, and proven cryptographically secure value. Use this option with care. The cost value should be set to a value that makes the hashing take at least 50ms.

Check if password needs rehash

If you have a mix of passwords hashed with different algorithms (md5, sha256, etc...), or with a different cost value, you can check if they comply with your password policy by checking if they need a rehash. If they do, you can prompt your user to update their password.

import php_password from 'php-passwd';
const user_password = 'password123';
const hash = php_password.hash(user_password, 'PASSWORD_DEFAULT', { cost: 10 });
 
if (php_password.verify(user_password, hash){
   if (php_password.needsRehash(hash, 'PASSWORD_DEFAULT', { cost: 11 }) {
      // Password needs to be rehashed
      hash = php_password.hash(user_password, 'PASSWORD_DEFAULT', { cost: 11 });
   }
}

Readme

Keywords

Package Sidebar

Install

npm i php-passwd

Repository

github.com/michaelkilian/node-php-password

Homepage

github.com/michaelkilian/node-php-password#readme

Weekly Downloads

2

Version

1.0.0

License

GPL-2.0

Unpacked Size

30.7 kB

Total Files

14

Last publish

Collaborators

  • michaelkilian
Try on RunKit
Report malware