Configs2026年7月7日·1 分钟阅读

bcrypt.js — Industry-Standard Password Hashing for Node.js

A native C++ bcrypt implementation for Node.js providing secure password hashing and verification.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
bcrypt.js Overview
直接安装命令
npx -y tokrepo@latest install 6738c344-799e-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

bcrypt for Node.js is a native addon that implements the bcrypt password hashing algorithm. bcrypt is deliberately slow and computationally expensive, making brute-force attacks impractical. This library is the standard choice for hashing and verifying user passwords in Node.js applications and has been battle-tested across thousands of production systems.

What bcrypt Does

  • Hashes passwords using the bcrypt algorithm with configurable cost factor
  • Verifies plaintext passwords against stored bcrypt hashes
  • Generates cryptographically secure random salts automatically
  • Provides both async (Promise-based) and sync APIs
  • Uses a native C++ binding for optimal performance

Architecture Overview

The library wraps the OpenBSD bcrypt reference implementation in a C++ Node.js native addon via node-addon-api. When hashing, it generates a random 16-byte salt, applies the Blowfish-based key derivation function for 2^cost rounds, and produces a 60-character hash string encoding the algorithm version, cost factor, salt, and hash. The async API offloads the CPU-intensive hashing to a worker thread pool so the Node.js event loop is not blocked.

Self-Hosting & Configuration

  • Install via npm: npm install bcrypt (requires a C++ compiler for native build)
  • Set the cost factor (salt rounds) based on your security needs: 10 is a common default
  • Use the async API in web servers to avoid blocking: await bcrypt.hash(password, 10)
  • For environments without native compilation, use the pure JS fallback: npm install bcryptjs
  • The output hash string is self-describing, so no separate salt storage is needed

Key Features

  • Adaptive cost factor: increase rounds as hardware gets faster
  • Automatic salt generation eliminates manual salt management
  • Async API prevents event loop blocking during hashing
  • Self-contained hash strings include algorithm version, cost, and salt
  • Native C++ implementation for maximum throughput

Comparison with Similar Tools

  • bcryptjs — pure JavaScript implementation; slower but requires no native compilation
  • argon2 — newer algorithm (PHC winner); stronger but less universally supported
  • scrypt (crypto.scrypt) — built into Node.js crypto; bcrypt has wider ecosystem adoption
  • PBKDF2 — available in Node.js crypto; bcrypt is more resistant to GPU-based attacks

FAQ

Q: What salt rounds value should I use? A: Start with 10. Each increment doubles the computation time. Benchmark on your hardware and aim for 250ms or more per hash.

Q: Do I need to store the salt separately? A: No. The bcrypt hash string embeds the salt, algorithm version, and cost factor. Store only the hash.

Q: Why does installation fail on some systems? A: bcrypt requires a C++ compiler and Python for node-gyp. If native builds are not possible, use the pure JavaScript bcryptjs package instead.

Q: Is bcrypt still secure in 2025? A: Yes. With an appropriate cost factor (12+), bcrypt remains resistant to brute-force attacks. Argon2 is the newer standard but bcrypt is still widely trusted.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产