Question 1

How to migrate from bcrypt to Argon2 using upash?

Accepted Answer

upash provides a migration guide that recommends installing both algorithms, using Argon2 for new passwords, and gradually updating old hashes with the verify function's automatic detection. This allows a smooth transition without locking out users.

Question 2

Is upash better than using argon2 directly in Node.js?

Accepted Answer

upash adds value with its unified API and easy switching, but if you only need Argon2 and don't plan to change algorithms, using @phc/argon2 directly might be simpler. upash is best for teams prioritizing future-proofing and migration flexibility.

Question 3

Can upash be used in a React Native or browser app?

Accepted Answer

No, because the core algorithm packages are Node.js only, and browser-compatible implementations are still a work in progress. You'd need a Node.js backend to use upash effectively in such environments.

Question 4

How to tune hashing parameters with the upash CLI?

Accepted Answer

Install the separate upash-cli package, then use it to hash and verify passwords with different work factors like time and memory. This helps optimize security versus performance based on your hardware, as demonstrated in the CLI gif.

Question 5

What happens if an algorithm package I use with upash has a security vulnerability?

Accepted Answer

You're dependent on the maintainers of those external packages, so you must monitor and update them separately. upash itself doesn't bundle algorithms, so security updates require manual intervention on the algorithm packages.

Question 6

Does upash support scrypt for password hashing?

Accepted Answer

Yes, via the @phc/scrypt package, which is listed in the recommended implementations. However, like others, it's Node.js only and requires separate installation alongside upash.

upash

What is upash?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions