0
0
ExpressHow-ToBeginner · 4 min read

How to Use bcrypt for Password Hashing in Express

Use bcrypt in Express to hash passwords before saving them and to compare hashed passwords during login. First, hash the password with bcrypt.hash() and store it, then verify with bcrypt.compare() when users log in.
📐

Syntax

Here is how you use bcrypt to hash and compare passwords in Express:

  • bcrypt.hash(password, saltRounds): Creates a hashed password. saltRounds controls hashing complexity.
  • bcrypt.compare(plainPassword, hashedPassword): Checks if a plain password matches the hashed one.
javascript
import bcrypt from 'bcrypt';

// Hashing a password
const hashedPassword = await bcrypt.hash(password, saltRounds);

// Comparing passwords
const isMatch = await bcrypt.compare(plainPassword, hashedPassword);
💻

Example

This example shows a simple Express route to register a user by hashing their password and another route to login by verifying the password.

javascript
import express from 'express';
import bcrypt from 'bcrypt';

const app = express();
app.use(express.json());

const users = [];
const saltRounds = 10;

// Register route
app.post('/register', async (req, res) => {
  const { username, password } = req.body;
  const hashedPassword = await bcrypt.hash(password, saltRounds);
  users.push({ username, password: hashedPassword });
  res.send('User registered successfully');
});

// Login route
app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const user = users.find(u => u.username === username);
  if (!user) return res.status(400).send('User not found');

  const isValid = await bcrypt.compare(password, user.password);
  if (isValid) {
    res.send('Login successful');
  } else {
    res.status(400).send('Invalid password');
  }
});

app.listen(3000, () => console.log('Server running on port 3000'));
Output
User registered successfully Login successful (if password matches) Invalid password (if password does not match)
⚠️

Common Pitfalls

Common mistakes when using bcrypt in Express include:

  • Not awaiting bcrypt.hash() or bcrypt.compare(), causing unexpected behavior.
  • Using too low saltRounds, which weakens security.
  • Storing plain passwords instead of hashed ones.
  • Comparing passwords without hashing the input first.
javascript
import bcrypt from 'bcrypt';

// Wrong: Not awaiting hash
const hashed = bcrypt.hash('mypassword', 10); // hashed is a Promise, not a string

// Right: Await the hash
(async () => {
  const hashedCorrect = await bcrypt.hash('mypassword', 10);
})();
📊

Quick Reference

Remember these tips when using bcrypt in Express:

  • Always use await with async bcrypt functions.
  • Use at least 10 saltRounds for good security.
  • Never store or log plain passwords.
  • Hash passwords before saving and compare hashed passwords on login.

Key Takeaways

Always hash passwords with bcrypt before storing them in Express apps.
Use async/await with bcrypt.hash() and bcrypt.compare() to avoid bugs.
Set saltRounds to 10 or higher for strong password hashing.
Never store or transmit plain text passwords.
Verify passwords by comparing the plain input with the stored hash using bcrypt.compare().

Related by keyword

How to Use express.Router for Modular Routing in ExpressRoutingHow to Use express.json Middleware in Express.jsMiddlewareHow to Use express.static Middleware in Express.jsMiddlewareHow to Use express.urlencoded Middleware in Express.jsMiddlewareHow to Use express-async-errors for Async Error Handling in ExpressError Handling

Up next

How to Use Pug with Express: Setup and ExampleHow to Use Template Engine in Express: Simple GuideHow to Handle File Upload in Express: Simple GuideHow to Limit File Size in Express: Simple Guide

More in Authentication

How to Create Auth Middleware in Express: Simple GuideHow to Create a Login API in Express: Simple GuideHow to Create a Register API in Express: Simple GuideHow to Generate JWT Token in Express: Simple Guide