Overview - Password hashing with bcrypt

What is it?

Password hashing with bcrypt is a way to securely store passwords by turning them into a scrambled code that is hard to reverse. Instead of saving the actual password, bcrypt creates a unique hash that represents it. When someone logs in, bcrypt checks if the password matches the stored hash without revealing the original password. This keeps user passwords safe even if the data is stolen.

Why it matters

Without password hashing like bcrypt, if a hacker steals a database, they get all user passwords in plain text. This can lead to identity theft, account takeovers, and loss of trust. Bcrypt protects users by making stolen password data useless because hashes cannot be easily turned back into passwords. It also slows down attackers by making guessing passwords very slow.

Where it fits

Before learning bcrypt, you should understand basic JavaScript and how to handle user input securely. After bcrypt, you can learn about authentication systems, token management, and advanced security practices like multi-factor authentication.

Mental Model

Core Idea

Bcrypt transforms a password into a unique, slow-to-compute code that safely proves the password without revealing it.

Think of it like...

Imagine locking your house with a special lock that changes shape every time you lock it, so even if someone copies the key shape, it won't open the lock again. Bcrypt is like that lock for passwords.

Password Input
    ↓
[ Bcrypt Hash Function ]
    ↓
Stored Hash (scrambled code)

Login Attempt
    ↓
[ Bcrypt compares input password with stored hash ]
    ↓
Access Granted or Denied

Build-Up - 7 Steps

1

FoundationWhat is Password Hashing

Concept: Understanding that passwords should never be stored as plain text but as hashes.

When users create passwords, storing them as plain text means anyone who accesses the database can see them. Hashing turns passwords into fixed-length codes that look random. This code cannot be reversed to find the original password easily.

Result

Passwords are stored as hashes, protecting them from direct exposure.

Knowing why hashing is essential helps you appreciate why bcrypt and similar tools exist.

2

FoundationIntroduction to bcrypt

3

IntermediateUsing bcrypt in Node.js

4

IntermediateChoosing the Cost Factor

5

AdvancedSalting and Its Importance

6

AdvancedVerifying Passwords Securely

7

ExpertBcrypt Internals and Security Limits

Under the Hood

Bcrypt works by taking a password and generating a random salt. It then uses the Blowfish cipher to repeatedly encrypt the password combined with the salt for a number of rounds defined by the cost factor. This process produces a hash that includes the salt and cost factor. When verifying, bcrypt extracts the salt and cost from the stored hash and repeats the process with the input password to check for a match.

Why designed this way?

Bcrypt was designed to be slow and include a salt to prevent fast brute-force attacks and rainbow table attacks. The use of Blowfish cipher rounds makes it computationally expensive to guess passwords. Alternatives like simple hashes were too fast and vulnerable. Bcrypt balances security with practical performance on typical hardware.

┌───────────────┐       ┌───────────────┐       ┌───────────────┐
│  Input Password│──────▶│  Add Random   │──────▶│ Blowfish Cipher│
│               │       │     Salt      │       │  Multiple Rounds│
└───────────────┘       └───────────────┘       └───────────────┘
                                                      │
                                                      ▼
                                             ┌─────────────────┐
                                             │  Output Hash    │
                                             │ (Salt + Cost +  │
                                             │   Hashed Data)  │
                                             └─────────────────┘

Myth Busters - 4 Common Misconceptions

Quick: Does bcrypt require you to manually create and store a salt? Commit to yes or no.

Common Belief:Many think developers must generate and store a salt separately when using bcrypt.

Tap to reveal reality

Quick: Is bcrypt hashing fast enough to use without worrying about performance? Commit to yes or no.

Common Belief:Some believe bcrypt is fast and can be used without considering its cost factor impact on speed.

Tap to reveal reality

Quick: Can you verify passwords by comparing bcrypt hashes with simple string equality? Commit to yes or no.

Common Belief:People often think comparing stored hash strings directly is enough to verify passwords.

Tap to reveal reality

Quick: Is bcrypt unbreakable regardless of future computing power? Commit to yes or no.

Common Belief:Some assume bcrypt hashes cannot be cracked no matter how powerful computers become.

Tap to reveal reality

Expert Zone

1

Bcrypt hashes include the cost factor and salt embedded, allowing verification without separate salt storage.

2

The cost factor exponentially increases hashing time, so small changes have big performance impacts.

3

Bcrypt's design using Blowfish cipher rounds is less memory-intensive than newer algorithms, affecting its resistance to GPU attacks.

When NOT to use

Avoid bcrypt when you need memory-hard hashing resistant to GPU/ASIC attacks; use Argon2 instead. Also, for extremely high-performance systems, consider faster but less secure hashes combined with other protections.

Production Patterns

In real systems, bcrypt is used with async calls to avoid blocking, cost factors are tuned per hardware, and hashes are stored in databases with user records. Password resets and migrations to newer algorithms are planned carefully to maintain security.

Connections

Cryptographic Hash Functions

Bcrypt builds on the idea of cryptographic hashes but adds salt and repeated rounds.

Understanding basic hash functions helps grasp why bcrypt adds complexity for security.

Authentication Systems

Password hashing with bcrypt is a core part of verifying user identity securely.

Knowing bcrypt's role clarifies how authentication protects user accounts.

Biological Immune System

Both bcrypt and the immune system use slow, repeated checks to detect threats and prevent quick attacks.

Seeing bcrypt like immune defense helps appreciate the value of slowing attackers down.

Common Pitfalls

#1Storing passwords as plain text instead of hashing.

Wrong approach:const password = 'userpass123'; db.saveUser({ username: 'user', password: password });

Correct approach:const bcrypt = require('bcrypt'); const hash = await bcrypt.hash('userpass123', 10); db.saveUser({ username: 'user', password: hash });

Root cause:Not understanding the risk of exposing plain passwords if the database is compromised.

#2Comparing password hashes with simple equality instead of bcrypt's compare.

Wrong approach:if (inputHash === storedHash) { grantAccess(); }

Correct approach:const match = await bcrypt.compare(inputPassword, storedHash); if (match) { grantAccess(); }

Root cause:Ignoring that bcrypt hashes include salts and require special comparison to avoid timing attacks.

#3Using a very low cost factor to speed up hashing.

Wrong approach:const hash = await bcrypt.hash(password, 4); // too low cost

Correct approach:const hash = await bcrypt.hash(password, 12); // recommended cost

Root cause:Not realizing that low cost factors make hashes easier to crack by attackers.

Key Takeaways

Bcrypt securely hashes passwords by adding a unique salt and repeating hashing many times to slow attackers.

Always use bcrypt's built-in functions for hashing and verifying passwords asynchronously in Node.js.

Choosing the right cost factor balances security and performance; higher cost means stronger but slower hashing.

Never store plain passwords or compare hashes with simple equality; use bcrypt's compare method to avoid security flaws.

Bcrypt is strong but not unbreakable; stay informed about newer algorithms like Argon2 for future-proof security.