Optimized bcrypt in JavaScript with zero dependencies, with TypeScript support. Compatible to the C++ bcrypt binding on Node.js and also working in the browser.
Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. (see)
While bcrypt.js is compatible to the C++ bcrypt binding, it is written in pure JavaScript and thus slower (about 30%), effectively reducing the number of iterations that can be processed in an equal time span.
The maximum input length is 72 bytes (note that UTF-8 encoded characters use up to 4 bytes) and the length of generated
hashes is 60 characters. Note that maximum input length is not implicitly checked by the library for compatibility with
the C++ binding on Node.js, but should be checked with bcrypt.truncates(password) where necessary.
The package exports an ECMAScript module with an UMD fallback.
$> npm install bcryptjs
import bcrypt from "bcryptjs";
https://cdn.jsdelivr.net/gh/dcodeIO/bcrypt.js@TAG/index.js (ESM)
- From npm via jsDelivr:
https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/index.js (ESM)
https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/umd/index.js (UMD)
- From npm via unpkg:
https://unpkg.com/bcryptjs@VERSION/index.js (ESM)
https://unpkg.com/bcryptjs@VERSION/umd/index.js (UMD)
Replace TAG respectively VERSION with a specific version or omit it (not recommended in production) to use latest.
When using the ESM variant in a browser, the crypto import needs to be stubbed out, for example using an import map. Bundlers should omit it automatically.
To hash a password:
const salt = bcrypt.genSaltSync(10);
const hash = bcrypt.hashSync("B4c0/\/", salt);
// Store hash in your password DB
To check a password:
// Load hash from your password DB
bcrypt.compareSync("B4c0/\/", hash); // true
bcrypt.compareSync("not_bacon", hash); // false
Auto-gen a salt and hash:
const hash = bcrypt.hashSync("bacon", 10);
To hash a password:
const salt = await bcrypt.genSalt(10);
const hash = await bcrypt.hash("B4c0/\/", salt);
// Store hash in your password DB
bcrypt.genSalt(10, (err, salt) => {
bcrypt.hash("B4c0/\/", salt, function (err, hash) {
// Store hash in your password DB
});
});
To check a password:
// Load hash from your password DB
await bcrypt.compare("B4c0/\/", hash); // true
await bcrypt.compare("not_bacon", hash); // false
// Load hash from your password DB
bcrypt.compare("B4c0/\/", hash, (err, res) => {
// res === true
});
bcrypt.compare("not_bacon", hash, (err, res) => {
// res === false
});
Auto-gen a salt and hash:
await bcrypt.hash("B4c0/\/", 10);
// Store hash in your password DB
bcrypt.hash("B4c0/\/", 10, (err, hash) => {
// Store hash in your password DB
});
Note: Under the hood, asynchronous APIs split an operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of the JS event queue, efficiently yielding for other computation to execute.
Usage: bcrypt <input> [rounds|salt]
T>: (err: Error | null, result?: T) => voidCalled with an error on failure or a value of type T upon success.
(percentage: number) => voidCalled with the percentage of rounds completed (0.0 - 1.0), maximally once per MAX_EXECUTION_TIME = 100 ms.
(length: number) => number[]Called to obtain random bytes when both Web Crypto API and Node.js crypto are not available.
number): stringSynchronously generates a salt. Number of rounds defaults to 10 when omitted.
number): Promise<string>Asynchronously generates a salt. Number of rounds defaults to 10 when omitted.
number, ]callback: Callback<string>): voidAsynchronously generates a salt. Number of rounds defaults to 10 when omitted.
string): booleanTests if a password will be truncated when hashed, that is its length is greater than 72 bytes when converted to UTF-8.
bcrypt.hashSync(password: string, salt?: number | string): string
Synchronously generates a hash for the given password. Number of rounds defaults to 10 when omitted.
bcrypt.hash(password: string, salt: number | string): Promise<string>
Asynchronously generates a hash for the given password.
string, salt: number | string, callback: Callback<string>, progressCallback?: ProgressCallback): voidAsynchronously generates a hash for the given password.
string, hash: string): booleanSynchronously tests a password against a hash.
string, hash: string): Promise<boolean>Asynchronously compares a password against a hash.
string, hash: string, callback: Callback<boolean>, progressCallback?: ProgressCallback)Asynchronously compares a password against a hash.
string): numberGets the number of rounds used to encrypt the specified hash.
string): stringGets the salt portion from a hash. Does not validate the hash.
RandomFallback): voidSets the pseudo random number generator to use as a fallback if neither Web Crypto API nor Node.js crypto are available. Please note: It is highly important that the PRNG used is cryptographically secure and that it is seeded properly!
Building the UMD fallback:
$> npm run build
Running the tests:
$> npm test
Based on work started by Shane Girish at bcrypt-nodejs, which is itself based on javascript-bcrypt (New BSD-licensed).
$ claude mcp add bcrypt.js \
-- python -m otcore.mcp_server <graph>