Expressframework~8 mins

Password hashing with bcrypt in Express - Performance & Optimization

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Performance: Password hashing with bcrypt

MEDIUM IMPACT

This affects server response time during user authentication and registration by adding CPU work for hashing passwords.

Hashing user passwords securely during signup

Express

const bcrypt = require('bcrypt');

app.post('/signup', async (req, res) => {
  const password = req.body.password;
  const hashed = await bcrypt.hash(password, 12); // recommended salt rounds
  // save hashed password
  res.send('User created');
});

Higher salt rounds increase CPU time to hash, slowing attackers but adding moderate server delay.

📈 Performance Gainbalanced CPU cost with strong security, acceptable response time

Hashing user passwords securely during signup

Express

const bcrypt = require('bcrypt');

app.post('/signup', async (req, res) => {
  const password = req.body.password;
  const hashed = await bcrypt.hash(password, 4); // low salt rounds
  // save hashed password
  res.send('User created');
});

Using too few salt rounds makes hashing fast but weakens security, allowing faster brute force attacks.

📉 Performance Costfast hashing, low CPU cost but poor security

Performance Comparison

Pattern	CPU Load	Blocking Behavior	Response Delay	Verdict
bcrypt with low salt rounds	Low CPU	Non-blocking (async)	Fast response	[X] Bad
bcrypt with recommended salt rounds	Medium CPU	Non-blocking (async)	Moderate delay	[OK] Good
bcrypt with recommended salt rounds (sync)	Medium CPU	Blocking	High delay	[X] Bad
No hashing or weak hashing	Minimal CPU	Non-blocking	Fast but insecure	[X] Bad

Rendering Pipeline

Password hashing with bcrypt runs on the server CPU and does not affect browser rendering pipeline directly. However, slow hashing increases server response time, delaying content delivery and affecting perceived page load.

→Server Processing

→Network Response

⚠️ BottleneckCPU-intensive hashing delays server response, increasing time to first byte (TTFB).

Optimization Tips

1Use async bcrypt methods to avoid blocking the server event loop.

2Choose salt rounds that balance security and acceptable server response time.

3Monitor server response times to detect hashing-related delays.

Performance Quiz - 3 Questions

Test your performance knowledge

What is the main performance impact of using bcrypt with high salt rounds on a server?

AIncreases CPU load and response time during password hashing

BBlocks browser rendering causing layout shifts

CIncreases client-side JavaScript bundle size

DCauses network latency due to large hashed passwords

DevTools: Network and Performance panels

How to check: Use Network panel to measure server response time (TTFB). Use Performance panel to record server response delays during login/signup requests.

What to look for: Look for increased TTFB or long server processing times indicating slow password hashing blocking response.