@eryx/crypto/password Module

JSON

High-level password hashing and verification.

This module is the user-facing API for password storage. It hashes passwords with Argon2id using sensible defaults and stores them in a tagged string format so the scheme can evolve later without guessing.

The current format is:

where the inner value is the standard Argon2 PHC encoded form containing the salt and cost parameters.

local password = require("@eryx/crypto/password")

local stored = password.hash("hunter2")
assert(password.verify("hunter2", stored))
assert(not password.verify("wrong-password", stored))

Summary

Functions

password.hash(password: string)string
password.verify(password: string, hash: string)boolean

API Reference

Functions

password.hash

Hashes a plaintext password for storage.

The result is a tagged string beginning with "$a$" followed by an Argon2id PHC string. The PHC portion embeds the salt and work-factor parameters, so you only need to store the returned string.

local stored = password.hash("correct horse battery staple")
password.hash(password: string)string

Parameters

password: string

The plaintext password to hash.

Returns

string

Tagged password hash suitable for database storage.

password.verify

Verifies a plaintext password against a stored hash.

The hash must be in this module's tagged format. Returns true if the password matches, otherwise false. Raises an error if the hash uses an unsupported tag or is malformed.

if password.verify(inputPassword, storedHash) then
	print("password accepted")
end
password.verify(password: string, hash: string)boolean

Parameters

password: string

The plaintext password to test.

hash: string

The stored tagged hash string returned by hash.

Returns

boolean

true if the password matches.