Menu
I need to use bcrypt in Node, and as usual, there are 27 gazillion libraries to choose from.
The two top packages on npm are
How do they differ? Is there a compelling reason or use case to use one or the other?
Apparently the one is pure JS, and the other has bindings to a native C++ crypto library. And so the latter is faster than the former.
I've read that one should choose the fastest implementation of the slowest algorithm. So that means I should choose the non-JS one. However the JS one is even more popular. Why is that the case in node - is there a reason a "pure js" package is preferable to one that binds to a native library using node-gyp?
834
bcrypt is written in C++ with more than 400.000 downloads per week at npm and 5.1k stars at github. bcryptJS is written in Javascript with more than 560.000 downloads per week at npm and 2.3k stars at github. We'll try to benchmark both libraries at: Generate Hash password synchronous.
js uses “bcryptjs”. This module enables storing of passwords as hashed passwords instead of plaintext.
The compare function simply pulls the salt out of the hash and then uses it to hash the password and perform the comparison. When a user will log into our system, we should check the password entered is correct or not.
Is bcryptjs safe to use? The npm package bcryptjs was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use.
When considering dependencies being run in Node.js only, there's no reason not to follow the advice given to you about choosing the fastest implementation, which in this case is demonstrated to be the native binding of bcrypt.
For isomorphic JavaScript, where you expect it to be run in the browser as well, you can't use native bindings. So in this case, brcyptjs is the fastest implementation available in pure JavaScript.
Your alternative in order to use bcrypt in an isomorphic setting would be to compile your native binding into WebAssembly if that's even possible. Some native bindings cannot currently be compiled to WebAssembly yet, but this package appears to have at least a subset of bcrypt implemented in wasm, though I cannot vet its performance or security in comparison to your current two options.
The drawback to using WebAssembly is significantly more development time especially if you're unfamiliar with the API, and that's hard to justify when bcryptjs is a drop-in replacement within the same ballpark of performance already.
103
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
