0
0
NodejsHow-ToBeginner · 4 min read

How to Use bcrypt in Node.js for Password Hashing

Use bcrypt in Node.js by installing it with npm, then hash passwords with bcrypt.hash() and verify them with bcrypt.compare(). This ensures passwords are stored securely and checked safely.
📐

Syntax

The main functions in bcrypt are:

  • bcrypt.hash(password, saltRounds): Creates a hashed version of the password. saltRounds controls how strong the hashing is.
  • bcrypt.compare(password, hash): Checks if a plain password matches the hashed password.

You first import bcrypt, then use these functions asynchronously to handle passwords safely.

javascript
import bcrypt from 'bcrypt';

const saltRounds = 10;
const password = 'userPassword123';

async function run() {
  // Hashing a password
  const hash = await bcrypt.hash(password, saltRounds);

  // Comparing password with hash
  const match = await bcrypt.compare(password, hash);
}

run();
💻

Example

This example shows how to hash a password and then verify it. It prints whether the password matches the hash.

javascript
import bcrypt from 'bcrypt';

async function runExample() {
  const password = 'mySecret123';
  const saltRounds = 12;

  // Hash the password
  const hashedPassword = await bcrypt.hash(password, saltRounds);
  console.log('Hashed password:', hashedPassword);

  // Verify the password
  const isMatch = await bcrypt.compare('mySecret123', hashedPassword);
  console.log('Password match:', isMatch);

  // Verify with wrong password
  const isMatchWrong = await bcrypt.compare('wrongPassword', hashedPassword);
  console.log('Wrong password match:', isMatchWrong);
}

runExample();
Output
Hashed password: $2b$12$... (hash string) Password match: true Wrong password match: false
⚠️

Common Pitfalls

Common mistakes when using bcrypt include:

  • Using synchronous versions like bcrypt.hashSync in server code, which can block the event loop.
  • Using too low saltRounds, making hashes weak and easier to crack.
  • Comparing passwords without awaiting the bcrypt.compare promise, causing incorrect results.
  • Storing plain passwords instead of hashes.

Always use async functions and choose a salt round of at least 10 for good security.

javascript
import bcrypt from 'bcrypt';

async function example() {
  // Wrong: synchronous hashing (blocks server)
  const hashSync = bcrypt.hashSync('password', 10);

  // Right: asynchronous hashing
  const hashAsync = await bcrypt.hash('password', 10);
}

example();
📊

Quick Reference

FunctionPurposeNotes
bcrypt.hash(password, saltRounds)Create a hashed passwordUse async/await, saltRounds ≥ 10
bcrypt.compare(password, hash)Check if password matches hashReturns true or false asynchronously
bcrypt.genSalt(saltRounds)Generate salt manuallyOptional, bcrypt.hash does this internally
bcrypt.hashSync(password, saltRounds)Synchronous hash (legacy)Avoid in server code to prevent blocking

Key Takeaways

Always hash passwords with bcrypt before storing them to keep user data safe.
Use asynchronous bcrypt functions with await to avoid blocking your Node.js server.
Choose a saltRounds value of 10 or higher for strong password hashing.
Never store or compare plain text passwords directly.
Test password verification carefully to avoid logic errors.

Related by keyword

What is node_modules Folder in Node.js ExplainedNPMHow to Use node-fetch in Node.js: Simple GuideHTTP RequestsHow to Use Node Test Runner in Node.js: Simple GuideTestingHow to Use Node Inspect in Node.js for DebuggingDebuggingHow to Run JavaScript in Terminal Using Node.jsGetting Started

Up next

How to Use url.parse in Node.js: Syntax and ExamplesHow to Use URLSearchParams in Node.js: Syntax and ExamplesFetch vs Axios in Node.js: Key Differences and When to Use EachHow to Download File in Node.js: Simple Guide with Examples

More in Crypto

How to Create HMAC in Node.js: Simple Guide with ExamplesHow to Decrypt Data in Node.js Using Crypto ModuleHow to Encrypt Data in Node.js Using Crypto ModuleHow to Generate Random Bytes in Node.js Easily