Bird
Raised Fist0
Expressframework~5 mins

Password hashing with bcrypt in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the main purpose of using bcrypt in password handling?
Bcrypt is used to securely hash passwords so that the original password cannot be easily recovered, protecting user data even if the database is compromised.
Click to reveal answer
beginner
Which bcrypt function is used to create a hashed password from a plain text password?
The function bcrypt.hash() is used to generate a hashed password from a plain text password.
Click to reveal answer
intermediate
What does the 'salt' do in bcrypt password hashing?
A salt is random data added to the password before hashing to ensure that even identical passwords have different hashes, making attacks like rainbow tables ineffective.
Click to reveal answer
beginner
How do you verify a user's password using bcrypt in Express?
Use bcrypt.compare(plainPassword, hashedPassword) to check if the plain password matches the stored hashed password. It returns true if they match.
Click to reveal answer
intermediate
Why should you avoid using a fixed salt or no salt when hashing passwords?
Without a unique salt for each password, attackers can use precomputed tables to reverse hashes or find users with the same password, reducing security.
Click to reveal answer
Which bcrypt method is used to create a hashed password?
Abcrypt.genSalt()
Bbcrypt.compare()
Cbcrypt.hash()
Dbcrypt.encrypt()
What is the role of a salt in bcrypt hashing?
ATo speed up hashing
BTo add randomness to the hash
CTo store the password
DTo decrypt the password
How do you check if a password matches a bcrypt hash?
Abcrypt.hash()
Bbcrypt.check()
Cbcrypt.verify()
Dbcrypt.compare()
Why is bcrypt preferred over simple hashing functions for passwords?
AIt is designed to be slow and includes salt
BIt uses a fixed salt
CIt is faster
DIt stores passwords in plain text
What happens if you reuse the same salt for all passwords?
AAttackers can find matching hashes more easily
BPasswords become more secure
CIt has no effect
DIt speeds up login
Explain how bcrypt helps protect user passwords in an Express app.
Think about what happens when someone tries to steal your password database.
You got /4 concepts.
    Describe the steps to hash and verify a password using bcrypt in Express.
    Focus on what happens when a user signs up and then logs in.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of using bcrypt in an Express app?
      easy
      A. To securely hash user passwords before saving them
      B. To speed up server response time
      C. To format JSON data
      D. To manage user sessions

      Solution

      1. Step 1: Understand bcrypt's role

        Bcrypt is a library designed to hash passwords securely, making them hard to read if stolen.

      2. Step 2: Identify the correct purpose in Express

        In Express apps, bcrypt is used to hash passwords before storing them in a database to protect user data.

      3. Final Answer:

        To securely hash user passwords before saving them -> Option A

      4. Quick Check:

        Password hashing = Secure storage [OK]
      Hint: Bcrypt is for password security, not speed or formatting [OK]
      Common Mistakes:
      • Thinking bcrypt speeds up server
      • Confusing bcrypt with session management
      • Using bcrypt for data formatting
      2. Which of the following is the correct way to hash a password asynchronously using bcrypt in Express?
      easy
      A. const hashed = bcrypt.hashSync(password, 10);
      B. const hashed = bcrypt.hash(password);
      C. const hashed = await bcrypt.hash(password, 10);
      D. const hashed = bcrypt.compare(password, 10);

      Solution

      1. Step 1: Identify asynchronous bcrypt hashing syntax

        Bcrypt's async hash function requires await and two arguments: the password and salt rounds.

      2. Step 2: Check each option

        const hashed = await bcrypt.hash(password, 10); uses await bcrypt.hash(password, 10); which is correct async usage. const hashed = bcrypt.hashSync(password, 10); is synchronous, C is wrong function, B misses salt rounds.

      3. Final Answer:

        const hashed = await bcrypt.hash(password, 10); -> Option C

      4. Quick Check:

        Async hash needs await and salt rounds [OK]
      Hint: Async bcrypt hash always uses await and salt rounds [OK]
      Common Mistakes:
      • Using synchronous hashSync instead of async
      • Calling compare instead of hash
      • Omitting salt rounds argument
      3. What will be the output of this code snippet? 
      const bcrypt = require('bcrypt');
async function test() {
  const password = 'secret123';
  const hash = await bcrypt.hash(password, 5);
  const match = await bcrypt.compare('secret123', hash);
  console.log(match);
}
test();
      medium
      A. Error
      B. false
      C. undefined
      D. true

      Solution

      1. Step 1: Understand bcrypt.hash and bcrypt.compare

        The code hashes 'secret123' with salt rounds 5, then compares the original password to the hash.

      2. Step 2: Analyze the compare result

        Since the password matches the hash, bcrypt.compare returns true, which is logged.

      3. Final Answer:

        true -> Option D

      4. Quick Check:

        Password matches hash = true [OK]
      Hint: Compare returns true if password matches hash [OK]
      Common Mistakes:
      • Expecting false because of low salt rounds
      • Thinking compare returns the hash
      • Missing await causing undefined
      4. Identify the error in this Express route using bcrypt: 
      app.post('/signup', async (req, res) => {
  const { password } = req.body;
  const hashed = bcrypt.hash(password, 10);
  // Save hashed password to DB
  res.send('User created');
});
      medium
      A. bcrypt.hash requires 3 arguments, only 2 given
      B. Missing await before bcrypt.hash causing a Promise instead of hash
      C. bcrypt.hashSync should be used instead of bcrypt.hash
      D. Password should not be hashed before saving

      Solution

      1. Step 1: Check bcrypt.hash usage

        Bcrypt.hash is async and returns a Promise, so it needs await to get the hashed string.

      2. Step 2: Identify missing await effect

        Without await, hashed is a Promise, not the actual hash, causing errors when saving.

      3. Final Answer:

        Missing await before bcrypt.hash causing a Promise instead of hash -> Option B

      4. Quick Check:

        Async bcrypt.hash needs await [OK]
      Hint: Always await async bcrypt.hash to get the hash string [OK]
      Common Mistakes:
      • Forgetting await on async bcrypt.hash
      • Using wrong number of arguments
      • Thinking hashSync is mandatory
      5. You want to create a secure signup route in Express that hashes the password and then verifies it immediately to confirm hashing worked. Which code snippet correctly does this?
      hard
      A. app.post('/signup', async (req, res) => { const { password } = req.body; const hash = await bcrypt.hash(password, 12); const valid = await bcrypt.compare(password, hash); if (valid) res.send('Signup successful'); else res.status(500).send('Hashing error'); });
      B. app.post('/signup', (req, res) => { const { password } = req.body; const hash = bcrypt.hashSync(password, 12); const valid = bcrypt.compareSync(password, hash); if (valid) res.send('Signup successful'); else res.status(500).send('Hashing error'); });
      C. app.post('/signup', async (req, res) => { const { password } = req.body; const hash = bcrypt.hash(password, 12); const valid = bcrypt.compare(password, hash); if (valid) res.send('Signup successful'); else res.status(500).send('Hashing error'); });
      D. app.post('/signup', async (req, res) => { const { password } = req.body; const hash = await bcrypt.hash(password); const valid = await bcrypt.compare(password, hash); if (valid) res.send('Signup successful'); else res.status(500).send('Hashing error'); });

      Solution

      1. Step 1: Check async usage and salt rounds

        app.post('/signup', async (req, res) => { const { password } = req.body; const hash = await bcrypt.hash(password, 12); const valid = await bcrypt.compare(password, hash); if (valid) res.send('Signup successful'); else res.status(500).send('Hashing error'); }); uses async/await correctly and provides salt rounds (12) to bcrypt.hash, which is best practice.

      2. Step 2: Verify immediate password check

        It compares the original password with the hash using await bcrypt.compare, then sends success if valid.

      3. Step 3: Analyze other options

        app.post('/signup', (req, res) => { const { password } = req.body; const hash = bcrypt.hashSync(password, 12); const valid = bcrypt.compareSync(password, hash); if (valid) res.send('Signup successful'); else res.status(500).send('Hashing error'); }); uses sync methods which block the server, C misses await causing Promises, D misses salt rounds in hash.

      4. Final Answer:

        Option A code snippet with async/await and salt rounds -> Option A

      5. Quick Check:

        Async hash with salt rounds + compare = correct [OK]
      Hint: Use async/await with salt rounds and compare for secure signup [OK]
      Common Mistakes:
      • Using synchronous bcrypt methods in async routes
      • Forgetting await causing Promises
      • Omitting salt rounds in hash