0
0
Expressframework~10 mins

Password hashing with bcrypt in Express - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Password hashing with bcrypt
Receive plain password
Generate salt with bcrypt
Hash password + salt
Store hashed password
Later: Receive login password
Compare login password with stored hash
Return match result: true/false
This flow shows how bcrypt creates a salt, hashes a password, stores it, and later compares login attempts securely.
Execution Sample
Express
import bcrypt from 'bcrypt';

const password = 'mySecret123';
const saltRounds = 10;

async function hashPassword() {
  const salt = await bcrypt.genSalt(saltRounds);
  const hashed = await bcrypt.hash(password, salt);
  return hashed;
}

async function checkPassword(hashedPassword, inputPassword) {
  const match = await bcrypt.compare(inputPassword, hashedPassword);
  return match;
}
This code hashes a password with bcrypt and then checks if a login password matches the stored hash.
Execution Table
StepActionInputOutputNotes
1Receive plain passwordmySecret123mySecret123User inputs password
2Generate saltsaltRounds=10$2b$10$eW5...Salt created with cost factor 10
3Hash password + saltpassword + salt$2b$10$eW5...hashedvaluePassword hashed securely
4Store hashed password$2b$10$eW5...hashedvalueStored in DBHash saved, not plain password
5Receive login passwordmySecret123mySecret123User tries to login
6Compare login password with stored hashmySecret123, $2b$10$eW5...hashedvaluetruePassword matches hash
7Return match resulttrueAllow loginUser authenticated successfully
💡 Comparison returns false if passwords don't match, stopping login.
Variable Tracker
VariableStartAfter Step 2After Step 3After Step 4After Step 6
passwordundefinedmySecret123mySecret123mySecret123mySecret123
saltundefined$2b$10$eW5...$2b$10$eW5...$2b$10$eW5...$2b$10$eW5...
hashedundefinedundefined$2b$10$eW5...hashedvalue$2b$10$eW5...hashedvalue$2b$10$eW5...hashedvalue
matchundefinedundefinedundefinedundefinedtrue
Key Moments - 3 Insights
Why do we generate a salt before hashing the password?
The salt adds randomness to the password hash, making it unique even if two users have the same password. See Step 2 in the execution_table where salt is generated before hashing.
Why can't we just store the plain password instead of the hash?
Storing plain passwords is unsafe because if the database leaks, attackers get all passwords. Hashing protects passwords by storing only the hashed version (Step 4).
How does bcrypt verify the password without storing the plain password?
bcrypt compares the login password by hashing it with the stored salt inside the hash and checks if it matches the stored hash (Step 6).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the output of Step 3?
AA plain password string
BA salt string
CA hashed password string
DA boolean true/false
💡 Hint
Check the Output column at Step 3 in the execution_table.
At which step does the system decide if the login password matches the stored hash?
AStep 4
BStep 6
CStep 2
DStep 7
💡 Hint
Look for the step where bcrypt.compare is used in the execution_table.
If the saltRounds value is increased, what changes in the execution_table?
AStep 2 output salt will be longer and hashing slower
BStep 3 output will be plain password
CStep 6 match will always be false
DStep 7 will skip login
💡 Hint
Salt generation depends on saltRounds as shown in Step 2.
Concept Snapshot
Password hashing with bcrypt:
- Generate a salt with cost factor (saltRounds)
- Hash password + salt to create secure hash
- Store only the hash, never plain password
- On login, compare input password with stored hash
- bcrypt handles salt internally during compare
- Higher saltRounds means stronger but slower hashing
Full Transcript
This visual trace shows how bcrypt hashes passwords in an Express app. First, the plain password is received. Then bcrypt generates a salt using a cost factor called saltRounds. The password is combined with this salt and hashed securely. The hashed password is stored in the database, never the plain password. Later, when a user logs in, bcrypt compares the entered password with the stored hash by hashing it internally with the salt. If they match, login is allowed. This process protects user passwords by making it very hard for attackers to reverse the hash. Increasing saltRounds makes hashing stronger but slower.