Auth0 Home Blog Docs

How to use pbkdf2:sha256 for password hashing in a custom database?



We have an existing database that uses pbkdf2:sha256 to hash passwords. I want to use the custom database login script to connect to our database an verify our existing password hashes.

When I try to require(‘pbkdf2-sha256’) I get an error Cannot find module ‘pbkdf2-sha256’ is it possible to use pbkdf2-sha256 in a custom login function?


If you want to compare a password hashed with pbkdf2, you should be able to use the built-in crypto library for configured with the expected digest function. Read more about this here:

How you call this will depend on your exact configuration when generating the hash, but here’s an example to get you started:

crypto.pbkdf2(password, salt, iterations, keyLength, 'sha256', function(err, key) {
  if (err) { return callback(err); }
  if (key.toString('hex') === hash) { /* password matches */ }

To compare the hashes, we recommend a method like crypto.timingSafeEqual to avoid timing attacks.