A secure way to store a password.
CoffeeScript JavaScript
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Secure Passwords for node.js


This simple package was inspired by the pwstore package for Haskell. It features a simple way to create fairly secure passwords for a node.js.

The security is enhanced by a salt, created via the crypto.randomBytes(). But the other part is the digesting, done with an algorithm of your choice, several thousand times.


To get it, simply do

pw = require('secure-password');

Then you have access to two functions:

  • pw.makePassword(pass, iter = 10, algo = 'sha256', saltLen = 32)

    This returns a password string for storing, made from the cleartext in pass. A new salt of length saltLen is randomly created, then the given algo is applied to it, 2**iter times. The result is a string of the form


    The default value for iter is 10. This is ok as a value for low-end servers that have to do a lot of these, but modern system should use 12 or higher. The higher this value, the longer the hashing takes. A rainbow table attack takes longer, with the salt even more so.

  • pw.verifyPassword(pass, stored)

    This is the other side of the function. Very simple, just give is the cleartext password given by the client and throw in the stored one from makePassword. It will simply return true or false, or throw an exception if stored doesn't seem to be of the right format.


Despite the package name, this is only a way for enhance security for password storing. The actual security depends on the application and storage method.