The NPM ecosystem offers two popular implementations of the bcrypt hashing algorithm, bcrypt and bcryptjs. bcryptjs is written in pure JavaScript and has zero dependencies, whereas bcrypt is written in C++ and requires nodegyp, Python 2, and GCC compiler. bcrypt does offer some precompiled binaries, but in many instances, you'd need to build it manually for your particular architecture and OS. This does introduce an extra build step, but also increases performance by 30% compared to JavaScriptbased bcryptjs. You will find detailed installation instructions in the Wiki https://github.com/kelektiv/node.bcry...

Both libraries impose a limit of 72 bytes on the incoming string. Despite some confusion, the maximum length is in fact 72 bytes, not 56 https://security.stackexchange.com/a/... Any subsequent symbols will be discarded, that is a passphrase that matches the first 72 characters but has trailing characters from 73 onward, would pass the comparison as a false positive. As such, it's important that you limit the password length as part of input validation. Alternatively, you could prehash the password to lift up the maximum length https://security.stackexchange.com/a/...

Keep in mind that although strings are internally represented in UTF16 encoding in most JavaScript engines, Node.js Buffer API interprets strings in UTF8 by default. A string may be of length below 72 and yet still weigh over 72 bytes. This is because certain symbols, such as accented characters and emojis, consist of several code units (known as a surrogate pair), and thus require more than one byte to represent. In @hapi/joi, you can validate byte length instead of character length by passing utf8 as the second argument to the max() method.

Beware that C/C++ based implementations of bcrypt also truncate the input string on a null byte. This is often the case when you prehash the password and forget to encode the binary output. As a rule of thumb, do NOT pass raw binary to bcrypt; always remember to run the digest through base64 or hex encoding https://blog.ircmaxell.com/2015/03/se...

As far as password validation is concerned, beyond the maximum length, you may also want to enforce upper/lowercase letters and digits. A common oversight when writing a regular expression for passwords is to match ASCII characters only. While suitable for Anglophone users, this rule won't work for international visitors that attempt to input accented characters as in French or German. Depending on your target demographic, you may want to employ Unicode property escapes instead (available as of ES2018) https://stackoverflow.com/a/48902765 Don't forget to enable Unicode support in your regex with the /u modifier (as of ES2015), and please verify Node.js support at https://node.green/

StackOverflow password regex https://stackoverflow.com/a/19605207

GitHub repo https://github.com/alex996/nodeauth