Storing passwords securely is an ever-changing game. For the past few years (2013 -> 2015), Jean-Philippe Aumasson has been running a world-renowned Password Hashing Competition in which security researchers submit, validate, and vet the best password hashing algorithms.

Just recently, the competition wrapped up, naming Argon2 king of the hashing algorithms.

This is good news for any web developer out there: you can now use the Argon2 algorithm to more securely store your user’s passwords!

Today I’m going to show you how you can easily hash your user’s passwords using the Argon2 algorithm, and introduce you to some best practices.

Argon2 Recommendation

In the crypto community, standards are created by holding open competitions in which researchers analyze various cryptographic algorithms, slowly looking for faults, weeding out the weaker submissions.

This is how Argon2 (pdf) was born.

The Password Hashing Competition yielded 24 separate hashing algorithm submissions, which was eventually pruned down to 9 finalists, out of which Argon2 was named the winner.

What does this mean for normal web developers? If you’re starting a new project, or looking to improve security on an existing project, you should immediately start using the Argon2 hashing algorithm to securely store all of your user passwords.

If you’re into C, you can look at the reference Argon2 implementation on Github here: https://github.com/P-H-C/phc-winner-argon2

Using Argon2 in Node.js

As of just a few weeks ago, you can now get started using Argon2 in Node, thanks to efforts by Ranieri Althoff.

First up, you need to install the argon2 npm package. This requires you have GCC >= 4.8 installed. If you don’t have GCC >= 4.8 already, and you’re using OSX, you can install it like so:

$ brew install gcc 1 2 $ brew install gcc

Next, you need to install (globally) the node-gyp library — this is required as it allows the argon2 library to use the underlying C implementation of the Argon password hashing implementation to function:

$ npm install -g node-gyp 1 2 $ npm install - g node - gyp

Finally, you can install argon2 from NPM by running:

$ npm install argon2 # or... use the following command if you had to `brew install gcc` above $ CXX=g++-5 npm install argon2 1 2 3 4 $ npm install argon2 # or... use the following command if you had to `brew install gcc` above $ CXX = g ++- 5 npm install argon2

Once this is done, you need to ensure your project is a Git repository — this is required because of the way the underlying Argon2 library is being used. To ensure you’re in a Git repository, you can run the following command:

$ git init 1 2 $ git init

Next up, you’ll need to import the argon library:

var argon = require('argon2'); 1 2 var argon = require ( 'argon2' ) ;

Now, let’s say you receive a password from a user and want to securely hash the password for storage in a database system, you can do this using the hash method:

NOTE: We’ll also let the argon2 library generate the cryptographic salt for

us as well in a secure fashion.

argon2.generateSalt().then(salt => { argon2.hash('some-user-password', salt).then(hash => { console.log('Successfully created Argon2 hash:', hash); // TODO: store the hash in the user database }); }); 1 2 3 4 5 6 7 argon2 . generateSalt ( ) . then ( salt = > { argon2 . hash ( 'some-user-password' , salt ) . then ( hash = > { console . log ( 'Successfully created Argon2 hash:' , hash ) ; // TODO: store the hash in the user database } ) ; } ) ;

Now, after you’ve stored a user’s Argon2 hash, how can you log a user in using

the plain text password to verify it is correct? Using the verify method, of

course!

argon2.verify('previously-created-argon-hash-here', 'some-user-password').then(() => { console.log('Successful password supplied!'); // TODO: log the user in }).catch(() => { console.log('Invalid password supplied!'); }); 1 2 3 4 5 6 7 argon2 . verify ( 'previously-created-argon-hash-here' , 'some-user-password' ) . then ( ( ) = > { console . log ( 'Successful password supplied!' ) ; // TODO: log the user in } ) . catch ( ( ) = > { console . log ( 'Invalid password supplied!' ) ; } ) ;

And that’s pretty much it, easy right?!

Summary

If you’re building new webapps, you should check out the NPM argon2 module for securely hashing your user passwords. It’s the new recommended password hashing algorithm, so don’t be afraid to get your hands dirty!

Also: if you’re looking for a service that makes creating users and storing user data really simple and secure, be sure to go sign up for Stormpath! We’re free to use, and provide all sorts of awesome features, including transparent password hashing upgrades, secure user data data storage, and lots more.

We even have an amazingly simple and powerful express library that makes building secure websites and API services a few lines of code =)