{"id":15415857,"url":"https://github.com/davidje13/pwd-hasher","last_synced_at":"2026-01-18T19:36:16.601Z","repository":{"id":65478509,"uuid":"200495901","full_name":"davidje13/pwd-hasher","owner":"davidje13","description":"simple password hashing with support for salt, secret pepper, and brute-force salt","archived":false,"fork":false,"pushed_at":"2023-12-23T20:47:21.000Z","size":108,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-23T01:28:34.654Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/davidje13.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-04T13:25:47.000Z","updated_at":"2024-04-02T17:42:39.000Z","dependencies_parsed_at":"2024-10-21T15:39:08.943Z","dependency_job_id":null,"html_url":"https://github.com/davidje13/pwd-hasher","commit_stats":{"total_commits":17,"total_committers":1,"mean_commits":17.0,"dds":0.0,"last_synced_commit":"0710a028298e945430804a3048d9aa92efceedfe"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/davidje13/pwd-hasher","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidje13%2Fpwd-hasher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidje13%2Fpwd-hasher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidje13%2Fpwd-hasher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidje13%2Fpwd-hasher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/davidje13","download_url":"https://codeload.github.com/davidje13/pwd-hasher/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidje13%2Fpwd-hasher/sbom","scorecard":{"id":326911,"data":{"date":"2025-08-11","repo":{"name":"github.com/davidje13/pwd-hasher","commit":"0710a028298e945430804a3048d9aa92efceedfe"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/17 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-18T02:40:42.546Z","repository_id":65478509,"created_at":"2025-08-18T02:40:42.547Z","updated_at":"2025-08-18T02:40:42.547Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28549504,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T19:22:41.102Z","status":"ssl_error","status_checked_at":"2026-01-18T19:22:26.310Z","response_time":98,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-01T17:10:02.701Z","updated_at":"2026-01-18T19:36:16.585Z","avatar_url":"https://github.com/davidje13.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Pwd Hasher\n\nSimple password hashing with support for salt, secret pepper, and brute-force salt.\n\n## Install dependency\n\n```bash\nnpm install --save pwd-hasher\n```\n\n## Usage\n\n```javascript\nimport { Hasher } from 'pwd-hasher';\n\nconst hasher = new Hasher({ secretPepper: 'shhh', workFactor: 10 });\n\nconst hashed = await hasher.hash('my-password');\n\nconst invalid = await hasher.compare('incorrect-password', hashed); // false\nconst valid = await hasher.compare('my-password', hashed); // true\n```\n\n### API\n\n#### Constructor\n\n```javascript\nconst hasher = new Hasher({ secretPepper, workFactor });\n```\n\nCreates a new `Hasher` object.\n\nThe `secretPepper` should be a string which is known only to the webserver (it should not be\nstored in the same database as the hashes) and must not change (if it changes, all passwords\nwill become invalid). Typically this would be provided as an environment variable to the web\nserver during deployment. By default this is a blank string `''`.\n\nThe `workFactor` should be an integer which controls the amount of work required to generate\nthe hash. This should be tuned to take the longest possible time which still gives a good\nuser experience when logging in, as this will provide the greatest protection for offline\nattacks against the password hash database. This value can and should change over time; if\nyou deploy your application to a more powerful server, the number should be raised. Each\nincrement approximately doubles the required work. By default this is `10`.\n\n#### `hash`\n\n```javascript\nconst hashed = await hasher.hash(password);\n```\n\nHashes the given password using a random salt and brute-force salt.\n\nThe algorithm used is `bcrypt(sha512(password+bruteSalt+secretPepper))` (`bcrypt` provides\nthe `salt`). This avoids password length restrictions. The `bruteSalt` is a random integer\nfrom 0 to 7 and provides additional protection against brute-force attacks (incorrect\npasswords will take, on average, approximately twice as much effort to invalidate as correct\npasswords will take to validate).\n\n#### `compare`\n\n```javascript\nconst match = await hasher.compare(password, hash);\n```\n\nChecks a password against the given hash. The configured `secretPepper` must match the value\nused when generating the original hash. The `workFactor` can be different; this will always\nuse the work factor stored with the hash.\n\n#### `needsRegenerate`\n\n```javascript\nconst regenerate = hasher.needsRegenerate(hash);\n```\n\nReturns `true` if the hash's work factor is lower than the currently configured work factor.\nIn this scenario, you should re-hash the password during a successful login. For example:\n\n```javascript\nasync function login(user, password) {\n  const hash = await myDB.getUserHash(user);\n  const success = await hasher.compare(password, hash);\n  if (!success) {\n    return false;\n  }\n  if (hasher.needsRegenerate(hash)) {\n    const newHash = await hasher.hash(password);\n    await myDB.saveUserHash(user, newHash);\n  }\n  return true;\n}\n```\n\nThis will ensure that old passwords are slowly updated to the latest work factor as users\nlog in to the application, even if the user does not update their password.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidje13%2Fpwd-hasher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavidje13%2Fpwd-hasher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidje13%2Fpwd-hasher/lists"}