How to Hash and Verify a Password in Node.js With bcrypt

One of the best ways to securely store passwords is to salt and hash them. Salting and hashing convert a plain password into a unique value that is hard to reverse. The bcrypt library allows you to hash and salt passwords in Node.js with very little effort.

What is password hashing?

Password hashing means passing a plain text password through a hashing algorithm to produce a unique value. Some examples of hash algorithms are bcrypt, scrypt, and SHA. The downside of hashing is that it’s predictable.

Every time you pass the same input to a hashing algorithm, it produces the same output. A hacker with access to the hashed password can reverse engineer the encryption to get the original password. They may use techniques such as brute force or rainbow tables. This is where the salt comes in.

What is salt password?

Password salting adds a random string (salt) to the password before hashing it. This way the generated hash will always be different each time. Even if a hacker obtains the hashed password, it is impractical for them to discover the original password that generated it.

How to use bcrypt to hash and verify passwords

bcrypt is an npm module that simplifies password salting and hashing.

Step 1: Install bcrypt

Using npm:

npm install bcrypt

Yarn Usage:

yarn add bcrypt

Step 2: Enter bcrypt

const bcrypt = require("bcrypt")

Step 3: Create salt

To make salt, call bcrypt.genSalt() method. This method accepts an integer value as the cost factor that determines the time it takes to hash the password. The higher the cost factor, the longer the algorithm takes and the harder it is to reverse the hash using brute force. A good value should be high enough to secure the password but also low enough to not slow down the process. It is usually between 5 and 15. In this tutorial we will use 10.

bcrypt.genSalt(10, (err, salt) => {
// use salt to hash password

Step 4: Hash Password

Pass simple password and generated salt to hash() method:

bcrypt.genSalt(10, (err, salt) => {
bcrypt.hash(plaintextPassword, salt, function(err, hash) {

Once you have generated the hash, store it in the database. You will use it to verify passwords and authenticate the user trying to log in.

Instead of generating the salt and hash separately, you can also dynamically generate the salt and hash using a single function.

bcrypt.hash(plaintextPassword, 10, function(err, hash) {

Step 5: Compare passwords using bcrypt

To authenticate users, you will need to compare the password they provide with the password in the database. accepts the plain text password and hash you’ve stored, along with a callback function. That callback provides an object containing any errors that occurred and the overall result from the comparison. If the password matches the hash, the result is true., hash, function(err, result) {
if (result) {

Using Async/Await

You can hash and verify passwords with async / await as follows.

async function hashPassword(plaintextPassword) {
const hash = await bcrypt.hash(plaintextPassword, 10);

async function comparePassword(plaintextPassword, hash) {
const result = await, hash);
return result;

Use promises

The bcrypt library also supports the use of promises.

function hashPassword(plaintextPassword) {
bcrypt.hash(plaintextPassword, 10)
.then(hash => {
.catch(err => {

function comparePassword(plaintextPassword, hash) {, hash)
.then(result => {
return result
.catch(err => {

Mining and salting is an easy win

You can use the bcrypt library to hash and verify passwords in Node.js. Password hashing reduces the possibility of cybercriminals using them to access sensitive data or services. Salting your hashed passwords makes them more secure. In addition to hashing, always validate password strength as an added security measure.

8 most common tricks used to hack passwords

Continue reading

About the author How to Hash and Verify a Password in Node.js With bcrypt

Sarah Ridley is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button