如何使用JavaScript bcrypt库

了解如何使用bcrypt库对JavaScript中的哈希进行哈希处理和检查密码

bcrypt npm软件包是使用JavaScript中密码最多的软件包之一。

这是安全性101,但是对于新开发人员来说值得一提:您永远不会将密码以纯文本格式存储在数据库中或任何其他位置。你只是没有。

相反,您要做的是,根据密码生成一个哈希,然后将其存储起来。

这样:

import bcrypt from 'bcrypt'
// or
// const bcrypt = require('bcrypt')

const password = 'oe3im3io2r3o2'
const rounds = 10

bcrypt.hash(password, rounds, (err, hash) => { if (err) { console.error(err) return } console.log(hash) })

您将数字作为第二个参数传递,值越大,哈希越安全。但是,生成它所花费的时间也更长。

库README告诉我们,在2GHz内核上,我们可以生成:

rounds=8 : ~40 hashes/sec
rounds=9 : ~20 hashes/sec
rounds=10: ~10 hashes/sec
rounds=11: ~5  hashes/sec
rounds=12: 2-3 hashes/sec
rounds=13: ~1 sec/hash
rounds=14: ~1.5 sec/hash
rounds=15: ~3 sec/hash
rounds=25: ~1 hour/hash
rounds=31: 2-3 days/hash

If you run bcrypt.hash() multiple times, the result will keep changing. This is key because there is no way to reconstruct the original password from a hash.

Given the same password and a hash it’s possible to find out if the hash was built from that password, using the bcrypt.compare() function:

bcrypt.compare(password, hash, (err, res) => {
  if (err) {
    console.error(err)
    return
  }
  console.log(res) //true or false
})

If so, the password matches the hash and for example we can let a user log in successfully.

You can use the bcrypt library with its promise-based API too, instead of callbacks:

const hashPassword = async () => {
  const hash = await bcrypt.hash(password, rounds)
  console.log(hash)
  console.log(await bcrypt.compare(password, hash))
}

hashPassword()

Check a couple examples in this Glitch:


More js tutorials: