Skip to main content
The accounts-password package adds secure password-based authentication to Meteor applications, supporting both bcrypt and Argon2 password hashing.

Installation

This package automatically includes accounts-base.

Overview

The accounts-password package provides:
  • Secure password hashing with bcrypt or Argon2
  • User creation with email/username and password
  • Password reset and change functionality
  • Email verification
  • Enrollment emails for new users
  • Account lockout after failed attempts (with rate limiting)

Package Information

  • Version: 3.2.2
  • Summary: Password support for accounts
  • Dependencies: accounts-base, sha, email, random, check
  • NPM packages: bcrypt@5.0.1, argon2@0.41.1

Password Hashing

Bcrypt (Default)

By default, passwords are hashed using bcrypt:
Argon2 is the modern password hashing algorithm that won the Password Hashing Competition in 2015. It’s recommended for new applications.
argon2Enabled
boolean
default:"false"
Enable Argon2 password hashing instead of bcrypt
argon2Type
string
default:"argon2id"
Argon2 variant: argon2i (optimized for password hashing), argon2d (optimized for cryptocurrencies), or argon2id (hybrid, recommended)
argon2TimeCost
number
default:"2"
Number of iterations (higher = more secure, slower)
argon2MemoryCost
number
default:"19456"
Memory usage in KiB (higher = more secure, more memory)

User Creation

Client-Side

Server-Side

Login

With Email

With Username

With Username or Email

Password Management

Change Password

Set Password (Server)

Password Reset

Request Reset

Reset with Token

Email Verification

Send Verification Email

Verify Email with Token

Auto-send on Registration

Email Templates

Customize the emails sent by accounts-password:

User Enrollment

Security Configuration

Restrict Account Creation

Token Expiration

Ambiguous Error Messages

Enable ambiguous errors to prevent user enumeration attacks.

Rate Limiting

The package automatically uses ddp-rate-limiter to prevent brute force attacks:

Password Validation

Password Storage Format

Passwords are stored in the user document:
Passwords are automatically hashed before storage. The plain password is SHA-256 hashed on the client before transmission, then bcrypt/argon2 hashed on the server.

Example: Complete Registration Flow

Source Code