What is Password hashing with bcrypt in Express?

Expressframework~5 mins

Password hashing with bcrypt in Express

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Password hashing with bcrypt helps keep user passwords safe by turning them into secret codes that are hard to guess or steal.

When you want to store user passwords safely in a database.

When you need to check if a user's login password is correct without saving the actual password.

When building a login system that protects users from hackers.

When you want to add extra security by making password cracking very slow and difficult.

Syntax

Express

import bcrypt from 'bcrypt';

// To hash a password
const hashedPassword = await bcrypt.hash(password, saltRounds);

// To check a password
const isMatch = await bcrypt.compare(password, hashedPassword);

saltRounds controls how strong the hashing is. Higher means safer but slower.

Always use await or handle promises because bcrypt works asynchronously.

Examples

This example hashes a password with 10 salt rounds and prints the hashed result.

Express

const bcrypt = require('bcrypt');

const saltRounds = 10;
const password = 'mySecret123';

bcrypt.hash(password, saltRounds).then(hash => {
  console.log(hash);
});

This example checks if the password matches the stored hashed password and prints true or false.

Express

const bcrypt = require('bcrypt');

const password = 'mySecret123';
const hashedPassword = '$2b$10$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36Z1f8q1Q1v6q9v7v5Y5F6e';

bcrypt.compare(password, hashedPassword).then(result => {
  console.log(result); // true or false
});

Sample Program

This Express app lets users register with a hashed password and login by checking the hashed password. It keeps users in memory for simplicity.

Express

import express from 'express';
import bcrypt from 'bcrypt';

const app = express();
app.use(express.json());

const users = [];
const saltRounds = 10;

// Register route to hash password and save user
app.post('/register', async (req, res) => {
  const { username, password } = req.body;
  if (!username || !password) {
    return res.status(400).send('Username and password required');
  }
  const hashedPassword = await bcrypt.hash(password, saltRounds);
  users.push({ username, password: hashedPassword });
  res.send('User registered');
});

// Login route to check password
app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const user = users.find(u => u.username === username);
  if (!user) {
    return res.status(400).send('User not found');
  }
  const match = await bcrypt.compare(password, user.password);
  if (match) {
    res.send('Login successful');
  } else {
    res.status(401).send('Wrong password');
  }
});

app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

OutputSuccess

Important Notes

Never store plain passwords. Always hash before saving.

Use a reasonable saltRounds value (10-12) to balance security and speed.

bcrypt automatically adds a unique salt to each password hash.

Summary

Password hashing keeps user passwords safe by turning them into secret codes.

Use bcrypt's hash to create a hashed password and compare to check it.

Always handle bcrypt asynchronously with await or promises.