What are Bun's practices for password management

Bun's Password Management Practices

Bun provides a built-in `Bun.password` API for securely hashing and verifying passwords. Here are the key practices it follows:

1. Use Secure Hashing Algorithms

Bun supports two secure password hashing algorithms out of the box:

- Argon2id (default) - A memory-hard, password-hashing function that is resistant to GPU cracking attacks and side-channel attacks[4][5]
- Bcrypt - A widely-used adaptive hash function based on the Blowfish symmetric-key algorithm[4][5]

Both algorithms are configured with secure default parameters that can be customized if needed[4][5].

2. Generate Unique Salts

A unique, random salt is automatically generated for each password hash to protect against rainbow table attacks[7]. The salt is securely combined with the password before hashing.

3. Store Hashes, Not Passwords

Bun's API only allows storing password hashes, not plaintext passwords. This ensures that even if the password database is compromised, the actual passwords remain secure[1][2].

4. Provide Verification Functions

Bun includes `Bun.password.verify()` functions to check if a plaintext password matches a stored hash, without needing to re-hash the password[4][5]. This prevents timing attacks.

5. Encode Hashes for Compatibility

Argon2 hashes are encoded in the PHC string format, while bcrypt hashes use the Modular Crypt Format for compatibility with existing bcrypt implementations[5].

In summary, Bun's built-in password hashing provides a convenient and secure way to manage passwords, following industry best practices like using strong algorithms, salting hashes, and providing verification functions. This helps developers build more secure applications without needing to implement complex password handling logic themselves.