Password Hashing

The Archery framework includes a deeply secure password hasher utility using PBKDF2-SHA256. It provides robust defense against brute-force and rainbow table attacks.

Hashing Passwords

You can hash a password by calling the Hasher.make() method on a string. Archery's hasher uses 25,000 algorithmic iterations and a 16-byte cryptographically secure salt to generate a 256-bit derived key.

import 'package:archery/archery/archery.dart';

// Create a new user...
final user = User();
user.email = 'jane@example.com';
user.password = Hasher.make(key: 'iLoveArchery123');

await user.save();

Verifying Passwords

The Hasher.check() method allows you to verify that a given raw password matches a stored hash.

Most importantly, Archery implements a constant-time string comparison to verify the generated match, which is critical for defending your application against timing attacks.

if (Hasher.check(key: requestPassword, hash: storedHash)) {
  // Passwords match!
}