npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

bcryptjs

v3.0.2

Published

Optimized bcrypt in plain JavaScript with zero dependencies, with TypeScript support. Compatible to 'bcrypt'.

Downloads

11,865,995

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

dcodedcode

Keywords

bcryptpasswordauthauthenticationencryptioncryptcrypto

Readme

bcrypt.js

Optimized bcrypt in JavaScript with zero dependencies, with TypeScript support. Compatible to the C++ bcrypt binding on Node.js and also working in the browser.

Build Status Publish Status npm

Security considerations

Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. (see)

While bcrypt.js is compatible to the C++ bcrypt binding, it is written in pure JavaScript and thus slower (about 30%), effectively reducing the number of iterations that can be processed in an equal time span.

The maximum input length is 72 bytes (note that UTF-8 encoded characters use up to 4 bytes) and the length of generated hashes is 60 characters. Note that maximum input length is not implicitly checked by the library for compatibility with the C++ binding on Node.js, but should be checked with bcrypt.truncates(password) where necessary.

Usage

The package exports an ECMAScript module with an UMD fallback.

$> npm install bcryptjs
import bcrypt from "bcryptjs";

Usage with a CDN

  • From GitHub via jsDelivr: https://cdn.jsdelivr.net/gh/dcodeIO/bcrypt.js@TAG/index.js (ESM)
  • From npm via jsDelivr: https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/index.js (ESM) https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/umd/index.js (UMD)
  • From npm via unpkg: https://unpkg.com/bcryptjs@VERSION/index.js (ESM) https://unpkg.com/bcryptjs@VERSION/umd/index.js (UMD)

Replace TAG respectively VERSION with a specific version or omit it (not recommended in production) to use latest.

When using the ESM variant in a browser, the crypto import needs to be stubbed out, for example using an import map. Bundlers should omit it automatically.

Usage - Sync

To hash a password:

const salt = bcrypt.genSaltSync(10);
const hash = bcrypt.hashSync("B4c0/\/", salt);
// Store hash in your password DB

To check a password:

// Load hash from your password DB
bcrypt.compareSync("B4c0/\/", hash); // true
bcrypt.compareSync("not_bacon", hash); // false

Auto-gen a salt and hash:

const hash = bcrypt.hashSync("bacon", 10);

Usage - Async

To hash a password:

const salt = await bcrypt.genSalt(10);
const hash = await bcrypt.hash("B4c0/\/", salt);
// Store hash in your password DB
bcrypt.genSalt(10, (err, salt) => {
  bcrypt.hash("B4c0/\/", salt, function (err, hash) {
    // Store hash in your password DB
  });
});

To check a password:

// Load hash from your password DB
await bcrypt.compare("B4c0/\/", hash); // true
await bcrypt.compare("not_bacon", hash); // false
// Load hash from your password DB
bcrypt.compare("B4c0/\/", hash, (err, res) => {
  // res === true
});
bcrypt.compare("not_bacon", hash, (err, res) => {
  // res === false
});

Auto-gen a salt and hash:

await bcrypt.hash("B4c0/\/", 10);
// Store hash in your password DB
bcrypt.hash("B4c0/\/", 10, (err, hash) => {
  // Store hash in your password DB
});

Note: Under the hood, asynchronous APIs split an operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of the JS event queue, efficiently yielding for other computation to execute.

Usage - Command Line

Usage: bcrypt <input> [rounds|salt]

API

Callback types

  • Callback<T>: (err: Error | null, result?: T) => void Called with an error on failure or a value of type T upon success.

  • ProgressCallback: (percentage: number) => void Called with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms.

  • RandomFallback: (length: number) => number[] Called to obtain random bytes when both Web Crypto API and Node.js crypto are not available.

Functions

  • bcrypt.genSaltSync(rounds?: number): string Synchronously generates a salt. Number of rounds defaults to 10 when omitted.

  • bcrypt.genSalt(rounds?: number): Promise<string> Asynchronously generates a salt. Number of rounds defaults to 10 when omitted.

  • bcrypt.genSalt([rounds: number, ]callback: Callback<string>): void Asynchronously generates a salt. Number of rounds defaults to 10 when omitted.

  • bcrypt.truncates(password: string): boolean Tests if a password will be truncated when hashed, that is its length is greater than 72 bytes when converted to UTF-8.

  • bcrypt.hashSync(password: string, salt?: number | string): string Synchronously generates a hash for the given password. Number of rounds defaults to 10 when omitted.

  • bcrypt.hash(password: string, salt: number | string): Promise<string> Asynchronously generates a hash for the given password.

  • bcrypt.hash(password: string, salt: number | string, callback: Callback<string>, progressCallback?: ProgressCallback): void Asynchronously generates a hash for the given password.

  • bcrypt.compareSync(password: string, hash: string): boolean Synchronously tests a password against a hash.

  • bcrypt.compare(password: string, hash: string): Promise<boolean> Asynchronously compares a password against a hash.

  • bcrypt.compare(password: string, hash: string, callback: Callback<boolean>, progressCallback?: ProgressCallback) Asynchronously compares a password against a hash.

  • bcrypt.getRounds(hash: string): number Gets the number of rounds used to encrypt the specified hash.

  • bcrypt.getSalt(hash: string): string Gets the salt portion from a hash. Does not validate the hash.

  • bcrypt.setRandomFallback(random: RandomFallback): void Sets the pseudo random number generator to use as a fallback if neither Web Crypto API nor Node.js crypto are available. Please note: It is highly important that the PRNG used is cryptographically secure and that it is seeded properly!

Building

Building the UMD fallback:

$> npm run build

Running the tests:

$> npm test

Credits

Based on work started by Shane Girish at bcrypt-nodejs, which is itself based on javascript-bcrypt (New BSD-licensed).