Secure password hashing with salt and key stretching
Author: James Brumond
Copyright 2012 James Brumond
Dual licensed under MIT and GPL
$ npm install sechash
Running a simple hash
var sechash = ;// This will do a simple sha1 hash, the same as if you used the// built-in "crypto" module.var hash = sechash;// You can also use the testBasicHash method to easily test if// a string matches a hashsechash; // true
Using the strong stuff
var sechash = ;var opts =algorithm: 'sha1'iterations: 2000salt: 'some salt string';// This will hash the string quite a bit more strongly.var hash = sechash;// Because this function can take so long to run, it has an asynchronous// option as well, which is very similar...sechash;// As of version 0.2.0, basic promise-style callbacks (using oath) are also// supported on async functions (strongHash and testHash).sechash;
Testing a hash
var sechash = ;var opts =algorithm: 'sha1'iterations: 2000salt: 'some salt string';// First we generate a hash...var hash = sechash;// To test if a string matches a hash, we you the testHash methodsechash; // truesechash; // false// Again, this function also has an async form...sechash;
More Advanced Configuration
The following options can be given in the options object seen above. Also, the options object can also be excluded and all default options will be used.
The hashing algorithm to use. Common hashing algorithms include
"sha512". The default used by sechash is
One method used by sechash to make hashes more secure is key stretching, or iterating over a hash multiple times with the expressed purpose of slowing down the hashing process. This value is the number of times to hash the given string. The default used is
Another method used by sechash is called salt. By default, sechash will randomly generate some salt to use, but you can provide this value to specify the salt string.
This value only applies to the asynchronous functions. Key stretching greatly increases the amount of time to run a hash, which means that (especially for large
iterations values) your application will be blocked for a short while. To avoid blocking for too long, these functions will yield control back to the event loop every so often to allow other parts of the application to run. This value refers to how many iterations should run between "yields". This value defaults to 500.
When you generate a hash using sechash, the actual hash will often be prefixed with some meta data about how the hash was generated.
This allows sechash to correctly repeat the hashing process, therefore making hash testing possible. If you do not want this meta data included in the hash, you can set
includeMeta to false. One reason for doing this may be that, instead of using a random salt, you may want to use one secret salt value and you don't want this value stored with the hash.