npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

easy-pbkdf2

v0.1.2

Published

Easily generate securily salted PBKDF2 hashes for password storage

Downloads

2,045

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

davidmurdochdavidmurdoch

Keywords

pbkdf2passwordpasswordssaltsecurityloginauthauthorizationsignkeyhash

Readme

Easy PBKDF2 for node.js

Easy PBKDF2 makes it easier to create secure, individually salted, password hashes using PBKDF2.

This implementation is based on StackExchange's own Open Sourced PBKDF2 methods.

Installation:

via cmd line:

$ npm install easy-pbkdf2 --save

or in your package.json:

"dependencies": {
    "easy-pbkdf2": "0.x.x"
}

Usage:

var easyPbkdf2 = require("easy-pbkdf2")();
var salt = easyPbkdf2.generateSalt(); // `salt` should be treated as opaque, as it captures iterations
var password = "RandomDigits";
easyPbkdf2.secureHash( password, salt, function( err, passwordHash, originalSalt ) {
    // use your own db's methods to save the hashed password AND salt.
    currentUser.update({
        // The Base64 encoded hash, 344 characters long
        "password_hash": passwordHash,
        // Salt length varies based on SALT_SIZE and iterations. The default SALT_SIZE of
        // 32 produces a value that is:
        // (hashIterations.toString(16).length) + 1 + base64EncodedSalt.length)
        // characters long (42 characters).
        "salt": originalSalt // === salt
    });
});

// ...

// sometime later:
function authenticate( user, userEnteredPassword, callback ) {
	// make sure the user-entered password is equal to the previously
    // created hash when hashed with the same salt.
    easyPbkdf2.verify( user.salt, user.password_hash, userEnteredPassword, function( err, valid ) {
        callback( valid );
    });
}

You can also use EasyPbkdf2 to generate the salt for you by omitting the salt parameter:

easyPbkdf2.secureHash( password, function( err, passwordHash, newSalt ) {
    // save newSalt somewhere!
});

To create a new instance of EasyPbkdf2:

    var easyPbkdf2 = require("easy-pbkdf2")();

You can also use the following methods of instantiation:

// the EasyPbkdf2 constructor
var EasyPbkdf2 = require("easy-pbkdf2"),
    easyPbkdf2;

easyPbkdf2 = EasyPbkdf2(options);
easyPbkdf2 = new EasyPbkdf2(options);
easyPbkdf2 = EasyPbkdf2.EasyPbkdf2(options);
easyPbkdf2 = new EasyPbkdf2.EasyPbkdf2(options);

of which all will return an EasyPbkdf2 instance with options set.

Options

 var options = {
    // default DEFAULT_HASH_ITERATIONS is 512
    "DEFAULT_HASH_ITERATIONS": 256,
    // default SALT_SIZE is 32
    "SALT_SIZE": 16,
    // default KEY_LENGTH is 256
    "KEY_LENGTH": 128
};

var easyPbkdf2 = new EasyPbkdf2(options);
console.log(easyPbkdf2.DEFAULT_HASH_ITERATIONS) // 256
console.log(easyPbkdf2.SALT_SIZE); // 16
console.log(easyPbkdf2.KEY_LENGTH); // 128

// options are applied to each instance individually.
console.log( (new EasyPbkdf2()).DEFAULT_HASH_ITERATIONS ); // 512

Methods

###weakHash( value )

Cranks out a collision resistant hash, relatively quickly. Not suitable for passwords, or sensitive information. Synchronous only

Params:

  • value: String or Object. Base64 encoded SHA-1 hash of value

Returns:

  • A string; Base64 encoded SHA-1 hash of value

###random( bytes, callback )

Universal random provider. Generates cryptographically strong pseudo-random data. Syncronous or Asyncronous

Params:

  • bytes: Number. The number of bytes to return.
  • callback: Function. The callback to call for async operation (optional)

Returns:

  • A SlowBuffer; A buffer containing therandom bytes. (optional)

###generateSalt( explicitIterations, callback )

Convenience wrapper around .random to grab a new salt value. Treat this value as opaque, as it captures iterations.

Salt length varies based on SALT_SIZE and iterations. The default SALT_SIZE of 32 produces a value that is: (hashIterations.toString(16).length) + 1 + base64EncodedSalt.length) characters long (42 characters).

Synchronous or Asynchronous

Params:

  • explicitIterations: Number. An integer (optional)
  • callback: Function. (optional)

Returns:

  • A String. Return iterations and salt together as one string ({hex-iterations}.{base64-salt}) (optional)

###secureHash( value, salt, callback )

Alias for hash.

###hash( value, salt, callback )

Backs Secure hashes. Uses PBKDF2 internally, as implemented by node's native crypto library. See http://en.wikipedia.org/wiki/PBKDF2 and http://code.google.com/p/crypto-js/ for more information. Asynchronous only

Params:

  • value: String. The plaintext value/password you want to hash.
  • salt: String. salt (should include iterations). Automatically created if omitted. (optional)
  • callback: Function. fn( {Error} err, {String} A secure hash (base64 encoded), {String} the original or newly created salt ).

###verify( salt, priorHash, value, callback )

Verifies that the supplied plaintext value hashes to the same base64 encoded string as the priorHash, when hashed with the same salt. This method uses a constant-time string equality check to ensure information is not leaked via timing-attack. Asynchronous only

Params:

  • salt: String. salt (should include iterations).
  • priorHash: String. A secure hash (base64 encoded).
  • value: String. The plaintext value/password you want to verify.
  • callback: Function. fn( {Error} err, {Boolean} True if the value matches the priorHash, false if not. ).

Issues

Please file them here: https://github.com/davidmurdoch/easy-pbkdf2/issues.

And remember: pull requests are very welcome. :-)