gitmyhub

bcrypt.js

JavaScript ★ 3.8k updated 1mo ago

Optimized bcrypt in JavaScript with zero dependencies, with TypeScript support.

A pure-JavaScript library for securely hashing passwords using the bcrypt algorithm. Works in both Node.js and browsers, adds automatic salting, and lets you tune hashing speed to stay ahead of faster hardware.

JavaScriptNode.jsTypeScriptnpmsetup: easycomplexity 2/5

bcrypt.js is a JavaScript library for securely hashing passwords. When a web application stores passwords, it should never store them as plain text. Instead, passwords are run through a hashing algorithm that converts them into a fixed-length string that cannot be reversed. When a user logs in, the app hashes what they typed and compares it to the stored hash. This library implements bcrypt, one of the most widely trusted algorithms for this purpose.

Bcrypt has a built-in feature that makes it resistant to brute-force guessing even as computers get faster over time: you can increase the number of processing rounds it uses, making each hash operation slower and therefore making it harder for an attacker to try millions of passwords quickly. The library also automatically adds a random value called a salt to each password before hashing, which means two users with the same password will have different hashes stored in the database.

The library works in both Node.js server environments and directly in web browsers, with no external dependencies. It includes TypeScript type definitions for projects that use TypeScript. Functions come in both synchronous versions (which block until done) and asynchronous versions (which run in the background without freezing other activity). There is also a command-line interface for hashing a value directly from the terminal.

One important limitation noted in the README is that the library is written in pure JavaScript rather than compiled native code, which makes it about 30 percent slower than the native bcrypt binding for Node.js. The maximum password length it can process is 72 bytes, and the library provides a helper function to check whether a given password would be silently cut off at that limit.

The package is available on npm under the name bcryptjs and can also be loaded directly in a browser via CDN links.

Where it fits