password-prompt
★
★
★
★
★
3
reviews
cross-platform masked or hidden prompt
90
Security
39
Quality
2
Maintenance
46
Overall
v1.1.3
npm
JavaScript
Jul 25, 2023
by Jeff Dickey @jdxcode
No Known Issues
This package has a good security score with no known vulnerabilities.
22
GitHub Stars
4.0/5
Avg Rating
Community Reviews
RECOMMENDED
Simple, focused password prompt that just works across platforms
This package does exactly one thing: prompts for passwords without echoing characters to the terminal. The API is refreshingly simple - just call `passwordPrompt()` and you get a promise that resolves with the input. It works consistently across Windows, macOS, and Linux, which saves you from dealing with platform-specific quirks.
The learning curve is essentially zero. There's no configuration needed for basic usage, and the optional parameters (custom prompt text, masking character) are intuitive. Error handling is straightforward - it throws on EOF/Ctrl+C, which you can catch like any promise rejection. I've used it in CLI tools where users need to enter credentials, and it's been completely reliable.
The main limitation is the lack of documentation around edge cases. The README is brief, showing basic usage but not much else. For instance, understanding how it behaves in non-TTY environments or when stdin is piped required reading the source code. That said, the source is clean and readable (under 200 lines), so debugging isn't difficult.
The learning curve is essentially zero. There's no configuration needed for basic usage, and the optional parameters (custom prompt text, masking character) are intuitive. Error handling is straightforward - it throws on EOF/Ctrl+C, which you can catch like any promise rejection. I've used it in CLI tools where users need to enter credentials, and it's been completely reliable.
The main limitation is the lack of documentation around edge cases. The README is brief, showing basic usage but not much else. For instance, understanding how it behaves in non-TTY environments or when stdin is piped required reading the source code. That said, the source is clean and readable (under 200 lines), so debugging isn't difficult.
Zero-configuration API that works immediately with passwordPrompt()
Truly cross-platform with consistent behavior on Windows, macOS, and Linux
Tiny footprint with no dependencies makes it safe to include in any project
Clean promise-based API fits naturally into modern async/await workflows
Minimal documentation doesn't cover edge cases like non-TTY environments or piped stdin
No built-in validation or retry logic - you need to implement confirmation prompts yourself
Best for: CLI applications needing simple, reliable password input without complexity or dependencies.
Avoid if: You need advanced features like password strength validation, confirmation prompts, or rich terminal UI interactions.
RECOMMENDED
Simple, secure password prompting with minimal attack surface
This library does exactly one thing: prompts for passwords without echoing to the terminal. The API is refreshingly minimal—just call the function and await the result. Cross-platform support (Windows, macOS, Linux) works reliably without configuration, which is harder than it sounds given the different terminal behaviors.
From a security perspective, the zero-dependency approach is a major win. No transitive dependency risks, and the tiny codebase (~100 lines) is easily auditable. The password string is handled carefully without unnecessary copies, though it's still a JavaScript string in memory. The library doesn't attempt over-engineering features like strength validation or storage, keeping the attack surface minimal.
One practical gotcha: error handling when stdin isn't a TTY could be clearer. The library will fail in non-interactive environments, which is correct behavior, but the error messages don't guide you toward detection strategies. Also be aware passwords are still in V8's heap—if you need true memory security, you'll need native extensions.
From a security perspective, the zero-dependency approach is a major win. No transitive dependency risks, and the tiny codebase (~100 lines) is easily auditable. The password string is handled carefully without unnecessary copies, though it's still a JavaScript string in memory. The library doesn't attempt over-engineering features like strength validation or storage, keeping the attack surface minimal.
One practical gotcha: error handling when stdin isn't a TTY could be clearer. The library will fail in non-interactive environments, which is correct behavior, but the error messages don't guide you toward detection strategies. Also be aware passwords are still in V8's heap—if you need true memory security, you'll need native extensions.
Zero dependencies eliminates supply chain risk entirely
Small, auditable codebase makes security review straightforward
Cross-platform terminal handling works consistently without configuration
0BSD license imposes no legal constraints on usage
Error messages for non-TTY environments could provide better guidance
Passwords remain in JavaScript string memory, not securable against heap dumps
Best for: CLI tools needing simple password input without complex validation or memory protection requirements.
Avoid if: You need secure memory handling, password strength validation, or rich interactive prompting features.
RECOMMENDED
Dead-simple password prompting that just works across platforms
This package does exactly one thing: prompts for passwords without echoing characters to the terminal. The API is refreshingly simple - just call the function and await the result. It works consistently across Windows, Mac, and Linux, which saves you from dealing with platform-specific terminal quirks yourself.
The learning curve is essentially non-existent. There's literally one function to call, and the README shows you everything you need in about 30 seconds. No configuration options to fiddle with, no edge cases to memorize. It either works or it doesn't, and in my experience it's always worked. Error handling is straightforward - it throws if stdin isn't a TTY, which makes sense.
The main limitation is that it's *too* simple for complex use cases. If you need password confirmation, strength validation, or custom masking characters, you'll need to build that yourself or look elsewhere. But for CLI tools that just need a secure password input, this is perfect. The small size and zero dependencies mean it won't bloat your project.
The learning curve is essentially non-existent. There's literally one function to call, and the README shows you everything you need in about 30 seconds. No configuration options to fiddle with, no edge cases to memorize. It either works or it doesn't, and in my experience it's always worked. Error handling is straightforward - it throws if stdin isn't a TTY, which makes sense.
The main limitation is that it's *too* simple for complex use cases. If you need password confirmation, strength validation, or custom masking characters, you'll need to build that yourself or look elsewhere. But for CLI tools that just need a secure password input, this is perfect. The small size and zero dependencies mean it won't bloat your project.
Single-function API that takes under a minute to learn and implement
Works reliably across Windows, Mac, and Linux without platform-specific code
Zero dependencies keeps bundle size minimal and reduces supply chain risk
Clear error when used in non-interactive contexts (piped input)
No built-in support for password confirmation or validation patterns
Limited customization options for masking behavior or prompt styling
Best for: CLI applications needing simple, secure password input without the complexity of full-featured prompt libraries.
Avoid if: You need advanced features like password confirmation, strength meters, or integration with complex form flows.
Write a Review
Sign in to write a review
Sign In
Dependencies