npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@syll20/backpass

v0.1.0

Published

Tiny keystroke-encoding library (Backpass) for capturing typed sequences with special-key tokens.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

syll20syll20

Keywords

backpasskeystrokepasswordsecuritybehavioral

Readme

Backpass

Backpass is a tiny, zero-dependency library that captures typed keystrokes on password (or other) inputs and encodes them into a stable Unicode token stream. Special keys (Backspace, Delete, Arrow keys, etc.) are encoded as private-use Unicode tokens so the exact behavior (including backspaces) is preserved.

This library intentionally preserves the encoded sequence as Unicode tokens (not reconstructing the final plaintext) so downstream systems can keep the raw behavioral sequence for verification, analytics or alternate authentication flows.

Table of contents

  • Features
  • Install
  • Quick usage
  • API reference
  • Why?
  • Examples (Vanilla / ESM / UMD / React / Vue)
  • Server-side handling and recommendations
  • Publishing to npm & GitHub
  • Contributing / Tests / CI
  • License

Features

  • Tiny, zero-dependency implementation written in TypeScript
  • ESM, CJS and UMD bundles provided (dist/)
  • Small, stable API: Backpass class with getBackpass/reset/destroy
  • Designed to be framework-agnostic; small wrappers/plugins are trivial to add

Install

npm:

npm install backpass

Or use the built UMD bundle from a CDN (unpkg/jsdelivr) by including dist/backpass.umd.js.

Quick usage

ESM (bundler / modern apps):

import { Backpass } from 'backpass'

const bp = new Backpass('#password')

// on submit
const encoded = bp.getBackpass()
// include `encoded` as `backpass` form field

// reset sequence after capture
bp.reset()

// destroy when not needed anymore
bp.destroy()

UMD (script tag / CDN):

<script src="https://unpkg.com/backpass/dist/backpass.umd.js"></script>
<script>
  const bp = new window.Backpass('#password')
  // ... same as ESM usage
  const encoded = bp.getBackpass()
  bp.reset()
  bp.destroy()
</script>

API reference

class Backpass

  • constructor(selectorOrElement: string | Element, options?: { debug?: boolean })

    • selectorOrElement: CSS selector string (e.g. '#password') or direct Element
    • options.debug: turn on verbose console logs for debugging

  • getBackpass(): string — returns the encoded Unicode token stream (e.g. "\u0031\u0032...\uE000\u0036")

  • reset(): void — clears internal sequence so subsequent captures start fresh

  • destroy(): void — removes event listeners and internal references

Encoding notes

  • Printable characters are encoded as \uXXXX hex Unicode escapes of the code point (for portability).
  • Special keys are mapped to private-use code points in the U+E000.. range. Example mapping used by the library:
    • Backspace => \uE000
    • Delete => \uE001
    • ArrowLeft => \uE002
    • ArrowRight => \uE003
    • ArrowUp => \uE004
    • ArrowDown => \uE005

Why?

Why not?

Examples

Vanilla HTML (ESM example referencing built dist):

<!doctype html>
<html>
  <body>
    <form id="form">
      <input id="password" type="password" />
      <input type="hidden" name="backpass" id="backpass_field" />
      <button type="submit">Submit</button>
    </form>
    <script type="module">
      import { Backpass } from './dist/index.mjs'
      const bp = new Backpass('#password')
      document.getElementById('form').addEventListener('submit', (e) => {
        document.getElementById('backpass_field').value = bp.getBackpass()
      })
    </script>
  </body>
</html>

React (small example using the class directly, no wrapper required):

import { useEffect, useRef } from 'react'
import { Backpass } from 'backpass'

function Login() {
  const bpRef = useRef(null)
  useEffect(() => {
    bpRef.current = new Backpass('#password')
    return () => bpRef.current?.destroy()
  }, [])

  const submit = (e) => {
    e.preventDefault()
    const encoded = bpRef.current?.getBackpass()
    // send encoded to server as `backpass`
    bpRef.current?.reset()
  }
}

Vue 3 (directive idea):

import { Backpass } from 'backpass'

app.directive('backpass', {
  mounted(el, binding) {
    el._bp = new Backpass(el)
  },
  unmounted(el) { el._bp?.destroy() }
})

Server-side handling (important)

  • Do not attempt to "reconstruct" or normalise the sequence into plaintext if you want to preserve special-key information like Backspace/Delete — keep the token stream as-is.
  • Common pattern: send the backpass token stream as an additional form field. Your server can store it (preferably hashed) or use it for anomaly detection.
  • If you must display or operate on the human-readable version, provide a separate utility that interprets the tokens while preserving semantics. However, note that reconstruction may lose information about cursor position and selection unless the library captures caret movements.

Privacy & storage guidance

  • Treat backpass as behavioral data. Consider hashing the value before storing it and keep retention policies short.
  • Add explicit user consent in UX if required by your policy/regulation.