For storing user passwords, the OstroJS Hash facade uses safe Bcrypt and Argon2 hashing. Bcrypt will be used by default for registration and authentication if you use one of the OstroJS application starter kits.

Bcrypt is an excellent candidate for hashing passwords because its "work factor" can be adjusted, allowing the time it takes to create a hash to rise as device power improves. When it comes to hashing passwords, slow is better. The longer it takes a malicious user to construct "rainbow tables" of all possible text hash values that may be used in brute force attacks against apps, the longer it takes an algorithm to hash a password.


In the config/hashing.js configuration file for your application, you may set the default hashing driver.

Basic Usage

Hashing Passwords

The make method on the Hash facade may be used to hash a password:

const Controller = require('~/app/http/controllers/controller')
const Hash = require('@ostro/support/facade/hash')
class PasswordController extends Controller { 
     * Store a DigitalOcean API token for the user.
    async update({request}) {
        let user  = await request.user()
        await user.fill({
            'password' : Hash.make(request.input('newPassword'))

module.exports = PasswordController

Adjusting The Bcrypt Work Factor

If you're using the Bcrypt algorithm, the rounds option in the make function lets you control the algorithm's work factor; however, for most applications, the default work factor maintained by OstroJS is fine:

let $hashed = Hash.make('password', {
    'rounds' : 12,

Verifying That A Password Matches A Hash

The Hash facade provides a check function for determining if a given plain-text string conforms to a particular hash:

if (Hash.check('plain-text', $hashedPassword)) {
    // The passwords match...

Determining If A Password Needs To Be Rehashed

The Hash facade's needsRehash function lets you to check whether the hasher's work factor has changed since the password was hashed. This check is performed by some apps during the application's authentication process:

if (Hash.needsRehash($hashed)) {
    let $hashed = Hash.make('plain-text');