Password Hashing
In this section, we will explore how to securely hash passwords using Argon2, one of the most advanced and secure password-hashing algorithms available today. Developed as a winner of the Password Hashing Competition (PHC), Argon2 is designed to protect against brute-force attacks, both by consuming significant computational resources and by utilizing memory-hard functions. This makes it a preferred choice for modern security practices.
Create Argon2 hash
Method to create a hash of a text/password using Argon2 algorithm.
createArgonHashFromPassword
public createArgonHashFromPassword (
data: string | Buffer,
): string;
Parameters:
Name | Type | Default | Description |
---|---|---|---|
data Required | string | Buffer | Password to hash |
Module Parameters:
Internally, this method uses certain parameters that are defined at the module level during initialization, as we have seen previously. The internal parameters used and their corresponding configuration keys are as follows:
-
hashLength: Specifies the length of the resulting hash. This is set via
hashing.password.outputKeyLength
and determines the size of the final hash in bytes. -
type: Defines the variant of Argon2 to use (argon2i, argon2d, or argon2id). This is configured using
hashing.password.argon2Type
. -
memoryCost: Sets the amount of memory (in KB) that the algorithm will use during the hashing process. This value is determined by
hashing.password.memoryCost
and plays a critical role in resisting brute-force attacks. -
timeCost: Specifies the number of iterations or the amount of computational work Argon2 will perform. It is defined via
hashing.password.timeCost
to ensure a balance between security and performance.
Outputs:
As output, it will return a string of type: $argon2i$v=19$m=4096,t=3,p=1$c2g56.....jk7A
Where the options
argon2i
,v=19
,m=4096
,t=3
andp=1
may vary depending on the options supplied to CryptographyModule when it has been configured.
Usage:
async secureUserPassword(
plainPassword: string,
): Promise<string> {
const _buffer = Buffer.from(plainPassword, 'utf-8');
const hashedPassword = await this.cryptographyService.createArgonHashFromPassword(_buffer);
return hashedPassword.toString();
}
Verify Argon2 hash
Method to verify if an existing Argon2 hash matches the desired text/password.
verifyArgonHashFromPassword
public verifyArgonHashFromPassword (
hash: string,
data: string | Buffer,
): Promise<boolean>;
Parameters:
Name | Type | Default | Description |
---|---|---|---|
hash Required | string | String of the existing hash | |
data Required | string | Buffer | String or buffer to verify |
Outputs:
As output, it will return true
if both matches, or false
if not.
Usage:
async checkUserPassword(
plainPassword: string,
hashedPassword: string
): Promise<boolean> {
const _buffer = Buffer.from(plainPassword, 'utf-8');
return await this.cryptographyService.verifyArgonHashFromPassword(hashedPassword, plainPassword)
}
🛟 Tips
Remember that...
Remember that buffers could be transformed to utf8, hex, base64, latin,...
using the toString()
method.
let passwordAsBuffer: Buffer = someMethodThatReturnsABuffer();
console.log(passwordAsBuffer.toString('hex')) // f32.....4ee
console.log(passwordAsBuffer.toString('base64')) // 8OI.....ZQ=