0
0
Node.jsframework~10 mins

Password hashing with bcrypt in Node.js - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Password hashing with bcrypt
User inputs password
bcrypt.hash(password, saltRounds)
Generate salt + hash password
Store hashed password
User login attempt
bcrypt.compare(inputPassword, storedHash)
Returns true if match, false if not
Allow or deny access
This flow shows how bcrypt hashes a password, stores it, and later compares input to verify login.
Execution Sample
Node.js
import bcrypt from 'bcrypt';

const password = 'mySecret123';
const saltRounds = 10;

async function run() {
  const hash = await bcrypt.hash(password, saltRounds);
  const match = await bcrypt.compare('mySecret123', hash);
  console.log(match);
}

run();
This code hashes a password and then checks if a given input matches the hashed password.
Execution Table
StepActionInputOutputNotes
1Receive password input'mySecret123'Password string readyUser enters password
2Call bcrypt.hash'mySecret123', 10Generated hash stringSalt generated internally, hash created
3Store hashHash stringStored securelyHash saved in database
4User login input'mySecret123'Input password readyUser tries to login
5Call bcrypt.compare'mySecret123', stored hashtruePassword matches hash
6Allow accesstrueUser logged inAccess granted
7Call bcrypt.compare'wrongPass', stored hashfalsePassword does not match
8Deny accessfalseLogin failedAccess denied
💡 Process ends after allowing or denying access based on password match.
Variable Tracker
VariableStartAfter hashAfter compare (correct)After compare (wrong)
password'mySecret123''mySecret123''mySecret123''mySecret123'
saltRounds10101010
hashundefinedhashed stringhashed stringhashed string
matchundefinedundefinedtruefalse
Key Moments - 3 Insights
Why can't we just store the password directly instead of hashing?
Storing passwords directly is unsafe because if the database leaks, attackers get all passwords. Hashing with bcrypt makes stored data safe by hiding the original password (see execution_table step 3).
Why do we need saltRounds in bcrypt.hash?
SaltRounds controls how much work bcrypt does to hash the password, making it slower and harder to crack. This is shown in step 2 where salt is generated internally.
What happens if the input password doesn't match the stored hash?
bcrypt.compare returns false (step 7), so access is denied (step 8). This prevents unauthorized login.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the value of 'match' after comparing the correct password?
Afalse
Btrue
Cundefined
Dhashed string
💡 Hint
Check execution_table row 5 where bcrypt.compare returns true for correct password.
At which step does bcrypt generate the salt and hash the password?
AStep 2
BStep 4
CStep 1
DStep 5
💡 Hint
Look at execution_table step 2 where bcrypt.hash is called.
If we increase saltRounds, what changes in the execution process?
AComparison always returns false
BPassword input changes
CHashing takes more time and is more secure
DStored hash becomes shorter
💡 Hint
Refer to key_moments about saltRounds controlling hashing work.
Concept Snapshot
Password hashing with bcrypt:
- Use bcrypt.hash(password, saltRounds) to create a secure hash
- saltRounds controls hashing difficulty
- Store only the hash, never the plain password
- Use bcrypt.compare(input, storedHash) to verify passwords
- Returns true if input matches stored hash, else false
Full Transcript
This lesson shows how bcrypt hashes passwords securely in Node.js. First, the user inputs a password. bcrypt.hash creates a salted hash using saltRounds to control difficulty. The hash is stored safely. Later, when the user logs in, bcrypt.compare checks if the input matches the stored hash. If it matches, access is granted; if not, access is denied. This protects passwords from being stolen in plain text and makes cracking very hard.