What is an alternative for bcrypt to use with node?

Question

I have tried for days to get bcrypt installed on my windows machine with no luck. One of the dependencies (Windows 7 SDK) does not want to be installed even though I have tried numerous suggestions from around the net it just refuses to cooperate.

I need a good alternative to bcrypt which does not have any dependencies.

Answer 1

It's possible to hash using either Argon2i, Argon2d or Argon2id (default), and verify if a password matches a hash.

https://www.npmjs.com/package/argon2

const password = 'password123';

async function hashPassword(password) {
  try {
    const hashedPassword = await argon2.hash(password);
    console.log('Hashed password:', hashedPassword);
  } catch (error) {
    console.error('Error hashing password:', error);
  }
}

hashPassword(password);

Answer 2

Here is an improved version of @malik-bagwala with JsDocs, types and a match password function.

import { randomBytes, scryptSync } from 'crypto';

// Pass the password string and get hashed password back
// ( and store only the hashed string in your database)
const encryptPassword = (password: string, salt: string) => {
  return scryptSync(password, salt, 32).toString('hex');
};

/**
 * Hash password with random salt
 * @return {string} password hash followed by salt
 *  XXXX till 64 XXXX till 32
 *
 */
export const hashPassword = (password: string): string => {
  // Any random string here (ideally should be at least 16 bytes)
  const salt = randomBytes(16).toString('hex');
  return encryptPassword(password, salt) + salt;
};

// fetch the user from your db and then use this function

/**
 * Match password against the stored hash
 */
export const matchPassword = (password: string, hash: string): Boolean => {
  // extract salt from the hashed string
  // our hex password length is 32*2 = 64
  const salt = hash.slice(64);
  const originalPassHash = hash.slice(0, 64);
  const currentPassHash = encryptPassword(password, salt);
  return originalPassHash === currentPassHash;
};

Answer 3

As of 24th April 2020 There is a nice built in way of hashing passwords using scrypt in the crypto module

// Using the built in crypto module

const { scryptSync, randomBytes } = require("crypto");


// Any random string here (ideally should be atleast 16 bytes)

const salt = randomBytes(16).toString("hex")


// Pass the password string and get hashed password back
// ( and store only the hashed string along with the salt in your database)
// {hashedPassword}${salt}

const getHash = (password) => scryptSync(password, salt, 32).toString("hex");

Answer 4

If someone faces similar issue, you can try bcryptjs which is optimized bcrypt written in JavaScript with zero dependencies and is also compatible to the C++ bcrypt.

Answer 5

You should really use the built-in crypto module for your encryption needs. It's basically a binding to OpenSSL, a fast, stable, secure, and well-vetted crypto library. Trying to implement your own crypto (or use someone else's unvalidated attempt at implementing crypto) is a recipe for disaster.

If you're looking to encrypt data, all you have to do is call crypto.createCipher, which returns a readable/writable Stream. Write data into the stream and it will emit data events with the encrypted data.

For example:

var stream = crypto.createCipher('aes192', 'mysecretpassword');
stream.on('data', function(enc) {
    // enc is a `Buffer` with a chunk of encrypted data
});

stream.write('some secret data');
stream.end();

Answer 6

Check out https://npmjs.org/package/bcryptjs, it's fully compatible with bcrypt just without the dependencies.

Or https://npmjs.org/package/simplecrypt if you don't want the crypto boilerplate and just need to encrypt and decrypt strings.