The security is enhanced by a salt, created via the crypto.randomBytes(). But the other part is the digesting, done with an algorithm of your choice, several thousand times.
To get it, simply do
pw = require('secure-password');
Then you have access to two functions:
pw.makePassword(pass, iter = 10, algo = 'sha256', saltLen = 32)
This returns a password string for storing, made from the cleartext in
pass. A new salt of length
saltLenis randomly created, then the given
algois applied to it,
2**itertimes. The result is a string of the form
The default value for
iteris 10. This is ok as a value for low-end servers that have to do a lot of these, but modern system should use 12 or higher. The higher this value, the longer the hashing takes. A rainbow table attack takes longer, with the salt even more so.
This is the other side of the function. Very simple, just give is the cleartext password given by the client and throw in the stored one from
makePassword. It will simply return
false, or throw an exception if
storeddoesn't seem to be of the right format.
Despite the package name, this is only a way for enhance security for password storing. The actual security depends on the application and storage method.