Secure password hashing and verification with core Node.js modules.

• Time consuming hashing (PBKDF2 with SHA-512) to combat brute force
• Per password salt to combat rainbow tables
• Incrementing work/complexity to combat future computing advances
• Constant time equality check to combat timing attacks

const{hash, verify}=require('credentials')verify(hash('password'),'password')// → true

If you find a security flaw in this code, please contact [email protected].

npm install credentials

const{hash, verify, expired}=require('credentials')hash(password/*[, opts]*/)// → hashed (string), ready for storageverify(hashed,password)// → isValid (Boolean)expired(hashed/*[, days[, opts]]*/)// → isExpired (Boolean)

hash optionally accepts an object literal of configuration values. Defaults to:

{keyLength: 64,// length of saltwork: 1,// relative work load (0.5 for half the work)}

expired optionally accepts an object literal of configuration values. Defaults to:

{work: 1,}

Preconfigured functions:

const{hash, verify, expired}=require('credentials').configure({// defaults:keyLength: 64,work: 1,expiry: 90,})

const{hash}=require('credentials')hash(userInput).then(hashed=>saveHash(hashed))

const{verify}=require('credentials')verify(hashed,userInput).then(isValid=>{if(!isValid)thrownewError('Bad credentials')// allow access})

$ credentials --help Usage: cmd [options] [command] Commands: hash [options] [password] Hash password verify [hash] <password> Verify password Options: -h, --help output usage information

$ credentials hash --help Usage: hash [options] [password] Hash password Options: -h, --help output usage information -w --work <work> relative work load (0.5 for half the work) -k --key-length <key-length> length of salt

The password argument for hash and the hash argument for verify both support piping by replacing with a dash (-):

$ echo -n "my password"| credentials hash - | credentials verify - "my password" Verified

Exit codes 0 and 1 are used to communicate verified or invalid as well.

The expiry configuration value is used entirely by the expired method. verify does not check if a password is expired.

The main purpose of this concept is to tell the user to update their password.

This was initially a fork of @ericelliott's great effort at https://github.com/ericelliott/credential with the main differences being:

• Better default values (SHA-512 and a key length of 64 bytes)
• Promises
• There's a CLI
• Each instance is separate - no globals or leak to other instances

Produced hashes are compatible.

A merge was not possible due to differences discovered in ericelliott/credential#25