Skip to main content
Version: 3.x

Password Hashing

In this section, we will explore how to securely hash passwords using Argon2, one of the most advanced and secure password-hashing algorithms available today. Developed as a winner of the Password Hashing Competition (PHC), Argon2 is designed to protect against brute-force attacks, both by consuming significant computational resources and by utilizing memory-hard functions. This makes it a preferred choice for modern security practices.

Create Argon2 hash

Method to create a hash of a text/password using Argon2 algorithm.

createArgonHashFromPassword

public createArgonHashFromPassword (
data: string | Buffer,
): string;

Parameters:

NameTypeDefaultDescription
data Requiredstring | BufferPassword to hash

Module Parameters:

info

Internally, this method uses certain parameters that are defined at the module level during initialization, as we have seen previously. The internal parameters used and their corresponding configuration keys are as follows:

  • hashLength: Specifies the length of the resulting hash. This is set via hashing.password.outputKeyLength and determines the size of the final hash in bytes.

  • type: Defines the variant of Argon2 to use (argon2i, argon2d, or argon2id). This is configured using hashing.password.argon2Type.

  • memoryCost: Sets the amount of memory (in KB) that the algorithm will use during the hashing process. This value is determined by hashing.password.memoryCost and plays a critical role in resisting brute-force attacks.

  • timeCost: Specifies the number of iterations or the amount of computational work Argon2 will perform. It is defined via hashing.password.timeCost to ensure a balance between security and performance.

Outputs:

As output, it will return a string of type: $argon2i$v=19$m=4096,t=3,p=1$c2g56.....jk7A

Where the options argon2i, v=19, m=4096, t=3 and p=1 may vary depending on the options supplied to CryptographyModule when it has been configured.

Usage:

async secureUserPassword(
plainPassword: string,
): Promise<string> {
const _buffer = Buffer.from(plainPassword, 'utf-8');
const hashedPassword = await this.cryptographyService.createArgonHashFromPassword(_buffer);
return hashedPassword.toString();
}

Verify Argon2 hash

Method to verify if an existing Argon2 hash matches the desired text/password.

verifyArgonHashFromPassword

public verifyArgonHashFromPassword (
hash: string,
data: string | Buffer,
): Promise<boolean>;

Parameters:

NameTypeDefaultDescription
hash RequiredstringString of the existing hash
data Requiredstring | BufferString or buffer to verify

Outputs:

As output, it will return true if both matches, or false if not.

Usage:

async checkUserPassword(
plainPassword: string,
hashedPassword: string
): Promise<boolean> {
const _buffer = Buffer.from(plainPassword, 'utf-8');
return await this.cryptographyService.verifyArgonHashFromPassword(hashedPassword, plainPassword)
}

🛟 Tips

Remember that...
info

Remember that buffers could be transformed to utf8, hex, base64, latin,... using the toString() method.

let passwordAsBuffer: Buffer = someMethodThatReturnsABuffer();

console.log(passwordAsBuffer.toString('hex')) // f32.....4ee
console.log(passwordAsBuffer.toString('base64')) // 8OI.....ZQ=