{"id":12309,"library":"unix-crypt-td-js","title":"Unix crypt(3) DES-based Hash Implementation","description":"unix-crypt-td-js is a JavaScript implementation of the DES-based Unix crypt(3) password hashing algorithm, primarily based on the `crypt.c` source from the Seventh Edition Unix distribution. The package's current stable version is 1.1.4, with its last known publication to npm occurring in October 2019. Despite its historical accuracy in replicating the original Unix `crypt(3)` behavior, the underlying Data Encryption Standard (DES) algorithm is now considered cryptographically insecure. It utilizes a 56-bit key and only the first eight characters of a password, combined with a 12-bit salt, making it highly susceptible to modern brute-force attacks, dictionary attacks, and rainbow table attacks. The package is effectively unmaintained, with Snyk reporting an 'Inactive' maintenance status and limited community activity. Due to these fundamental security weaknesses and lack of ongoing development, it is unsuitable for securing sensitive data or user passwords in contemporary applications. Developers requiring secure password hashing should use modern, robust algorithms like bcrypt, scrypt, or Argon2, which are designed to resist current cryptanalytic techniques. The package has no active release cadence.","status":"abandoned","version":"1.1.4","language":"javascript","source_language":"en","source_url":"https://github.com/TimDumol/unix-crypt-td-js","tags":["javascript","crypt"],"install":[{"cmd":"npm install unix-crypt-td-js","lang":"bash","label":"npm"},{"cmd":"yarn add unix-crypt-td-js","lang":"bash","label":"yarn"},{"cmd":"pnpm add unix-crypt-td-js","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package primarily supports CommonJS `require`. While some bundlers might allow `import unixCryptTD from 'unix-crypt-td-js';`, named imports are not the intended pattern for this older package.","wrong":"import { unixCryptTD } from 'unix-crypt-td-js';","symbol":"unixCryptTD","correct":"const unixCryptTD = require('unix-crypt-td-js');"},{"note":"For modern ESM contexts, assuming bundlers handle the default export from the CommonJS module. Direct named import might fail without explicit configuration.","wrong":"const { unixCryptTD } = require('unix-crypt-td-js');","symbol":"unixCryptTD","correct":"import unixCryptTD from 'unix-crypt-td-js';"}],"quickstart":{"code":"const unixCryptTD = require('unix-crypt-td-js');\n\nconst password = 'mysecretpassword';\nconst salt = 'ab'; // In real Unix crypt(3), salt is typically 2 characters.\n\nconst hashedPassword = unixCryptTD(password, salt);\nconsole.log(`Hashed password (string): ${hashedPassword}`); // Expected output: 'abF03p.uQ.KqE'\n\n// Example with byte array input and byte array output\nconst passwordBytes = [102, 111, 111, 98]; // 'foob'\nconst saltBytes = [97, 114]; // 'ar'\nconst hashedPasswordBytes = unixCryptTD(passwordBytes, saltBytes, true);\nconsole.log(`Hashed password (bytes): [${hashedPasswordBytes.join(', ')}]`); // Expected output: '[97, 114, 108, 69, 75, 110, 48, 79, 122, 86, 74, 110, 46]'\n\n// Demonstrating the 8-character limit (the extra 's' is ignored)\nconst longPassword = 'thisisalongpassword';\nconst shortSalt = 'cd';\nconst hashedLongPassword = unixCryptTD(longPassword, shortSalt);\nconst hashedFirst8Chars = unixCryptTD('thisisal', shortSalt);\nconsole.log(`Hashed long password: ${hashedLongPassword}`);\nconsole.log(`Hashed first 8 chars: ${hashedFirst8Chars}`);\nconsole.log(`Are they the same? ${hashedLongPassword === hashedFirst8Chars}`); // Should be true","lang":"javascript","description":"Demonstrates hashing a password with a given salt, including handling byte array inputs and showing the 8-character password truncation."},"warnings":[{"fix":"Do not use this package for securing sensitive data, especially user passwords. Migrate to modern, robust hashing algorithms like bcrypt, scrypt, or Argon2.","message":"The Data Encryption Standard (DES) algorithm used by this package is cryptographically insecure due to its short 56-bit key length and susceptibility to brute-force attacks with modern hardware. It has been formally withdrawn as a standard by NIST and is considered obsolete.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Developers must be aware of this limitation and either enforce an 8-character password policy (not recommended for security) or, preferably, switch to a secure hashing algorithm that utilizes the full password length.","message":"The underlying Unix crypt(3) DES algorithm only uses the first eight characters of the provided password for hashing, silently truncating any longer input. This significantly reduces the effective entropy and makes passwords easier to crack.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Avoid using this algorithm. Modern password hashing schemes use much larger, randomly generated salts to protect against precomputation attacks and ensure each hash is unique.","message":"The DES-based crypt(3) algorithm uses a small 12-bit salt, leading to a limited number of unique hashes (4096 possible salts). This makes it highly vulnerable to precomputed rainbow table attacks, especially when combined with common passwords.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"It is strongly recommended to use actively maintained, cryptographically secure libraries for any security-sensitive operations.","message":"This package is effectively unmaintained, with no new versions released to npm in recent years and limited community activity, as reported by Snyk.","severity":"deprecated","affected_versions":">=1.1.4"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Immediately replace `unix-crypt-td-js` with a modern, secure password hashing library such as `bcrypt`, `scrypt-js`, or `argon2`.","cause":"The DES-based Unix crypt(3) hash, implemented by this package, is fundamentally weak and susceptible to modern cracking techniques like brute-force and rainbow tables.","error":"Passwords are being compromised easily."},{"fix":"This is an inherent limitation of the algorithm. If full password entropy is required, you *must* switch to a different hashing algorithm that supports and utilizes longer passwords.","cause":"The Unix crypt(3) DES algorithm only processes the first 8 characters of the input password; any characters beyond that are ignored.","error":"Hash output is the same for different long passwords."}],"ecosystem":"npm"}