How to hash passwords using bcrypt in Node.js (2024)

Bcrypt is a hashing algorithm designed by Niels Provosand David Mazieres based on the Blowfish cipherBlowfish is a variable-length, symmetric block cipher with blockSize: 64-bits, keySize: 32-bits to 448-bits and number of rounds: 16.. It is commonly used for passwords and takes regular hashing algorithms further by introducing a salt. The salt is a string mixed up with the password before hashing. It is uniquely generated for each password and thus avoids two similar passwords having similar hash.

Bcrypt iteratively hashes the password to make it more secure. The work factor defines the number of iterations the underlying hash function performs when hashing a password. The greater the number of iterations, the slower would be the processing. However, slower processing is more secure as it is resource intensive for hackers to perform brute-forceA brute force attack involves trying all possible combinations of a password, encryption key, or authentication credential until the correct one is found. attacks. Similarly, fewer iterations are quicker to process but are easily compromised. An ideal work factor is a compromise between resources and security.

Moving on, we will discuss using bcrypt in Node to encrypt passwords in Node applications.

Install bcrypt

First of all, we will install bcrypt. Run the following command in the terminal provided to install bcrypt:

npm i bcrypt

To check if bcrypt is properly installed, use the following command.

npm list bcrypt

You can see the output of the command by running it in the terminal provided below.

Terminal 1

Terminal

Hash password using bcrypt

To use bcrypt in our application, we must include the module in our script.

const bcrypt = require ('bcrypt');

Next, define the work factor. As discussed above, a higher work factor means slower but strong hashing.

Promise pattern to generate salt and hash

The first method is based on the promisePromises are a fundamental feature in JavaScript for managing asynchronous code. pattern. The following code snippet shows the complete function.

bcrypt
 .genSalt(workFactor)
 .then(salt => {
 console.log(`Salt: ${salt}`);
 return bcrypt.hash(password, salt);
 })
 .then(hash => {
 console.log(`Hash: ${hash}`);
 })
 .catch(err => console.error(err.message));

Use promise pattern to generate the salt and hash

We'll first generate a salt using the function genSalt which accepts workFactor as an argument to it. Next, we'll pass generated salt and password to the hash function of bcrypt. This function generates a hash stored in hash variable. In case an error is thrown, the catch block will handle it.

Run the code snippet below to see the output of the function.

const bcrypt = require ('bcrypt');
const workFactor = 8;
See Also
How does the BCrypt encoding scheme work in Spring Security?
var password = "Educative@123";
bcrypt
 .genSalt(workFactor)
 .then(salt => {
 console.log(`Salt: ${salt}`);
 return bcrypt.hash(password, salt);
 })
 .then(hash => {
 console.log(`Hash: ${hash}`);
 })
 .catch(err => console.error(err.message));

The code displays the generated salt and hash. Notice that the function generates a new salt on every execution.

Without promise pattern

The second method combines the functions for generating the salt and hashing the password. The code snippet below shows the complete function.

const bcrypt = require ('bcrypt');
const workFactor = 8;
var password = "Educative@123";
// Combined function to generate salt and hash
bcrypt.hash(password, workFactor, function(err, hash) {
 console.log(`Hash: ${hash}`);
});

On line 7, the bcrypt.hash() function accepts three parameters, as discussed below:

password: The password that is hashed.
workFactor: The number of iterations the hashing algorithm performs.
function(err, hash): The callback function that returns error err if the process fails and returns a hashed password hash if the process is successful. This function executes after the completion of the function.

There is a similar method to implement the code above.

const bcrypt = require ('bcrypt');
const workFactor = 8;
var password = "Educative@123";
// Seperate function to generate salt and hash
bcrypt.genSalt(workFactor, function(err, salt) { 
 bcrypt.hash(password, salt, function(err, hash) {
 console.log(`Hash: ${hash}`);
 });
});

On line 6, the function genSalt accepts two parameters:

workFactor: The number of iterations the hashing algorithm performs.
function(err, hash): The callback function that returns error err if the process fails and returns a salt is generated successfully. This function executes after the completion of the function.

The salt generated in genSalt is directly passed on to function hash which accepts three parameters:

password: The password that is hashed.
salt: The salt generated in the genSalt function.
function(err, hash): The callback function that returns error err if the process fails and returns a hashed password hash if the process is successful.

Both of the methods discussed above perform the same procedure. The difference in output is due to the different salt generated for every password.

So far, we have generated a hash for the password. We need a method to verify if a hash matches a password. In the next section, we will discuss how to match a hash and a password.

Password verification

To verify if a password matches a given hash, we use compare method of bcrypt. The code snippet below implements the complete function.

const bcrypt = require ('bcrypt');
var password2 = "Bcrypt@123";
var hash = "$2b$08$ihbrrTtUeKlPe3inaQ4Nm..Ylc7BZ.p9PNU80hoSPnTkvNK9MkVLO";
bcrypt.compare(password2, hash, function(err, result) {
 // Password matched
 if (result) {
 console.log("Password verified");
 }
 // Password not matched
 else {
 console.log("Password not verified");
 }
});

On line 6, the compare method accepts three parameters:

password: The password that is hashed.
hash: The generated hash of the password.
function(err, result): The callback function either returns the error err or the result. In case the password matches the hash, the result returns true. Otherwise, the result returns false.

In the code above, we define a variable password2 to store another password for demonstration. Also, we define another variable hash to store the correct generated hash for password2. Next, the function compare accepts the password, hash, and callback function and prints the result to the console. Since the password and hash match, the code should print Password verified.

You can test out the code given above by generating a hash for your own password and verifying it. Enter your password in the input field provided below to generate hash.

bcrypt.hash(password, workFactor, function(err, hash) {
 console.log(`Hash: ${hash}`);
});

Enter the input below to be saved in file __ed_input.txt

Code input area

Summing it up, bcrypt is a simple yet powerful algorithm to hash your passwords. It is a good practice to implement hashing in your applications to avoid rainbow tableAn attack in which attacker used a precomputed table that contains hash for every letter so hash for a password can be easily determined. and brute-force attacks on your confidential data.

FAQs

How to hash passwords using bcrypt in Node.js? ›

Hashing a password:

genSalt(saltRounds, function(err, salt) { bcrypt. hash(plainPassword, salt, function(err, hash) { if (err) throw err; // Store the 'hash' in your database }); }); Adjust the saltRounds value according to the desired level of security. Higher values will result in slower hash generation.

Read On ›

How to use bcrypt to hash passwords in nodejs? ›

Discover More Details ›

Is bcrypt good for hashing passwords? ›

Compare this to popular hashing algorithms such as MD5 and SHA256, which are designed to hash quickly. They're better for applications that are used frequently and where speed is important, whereas bcrypt is the better option for the safe storage of passwords.

Which is the best password hashing algorithm for node JS? ›

Hash and Salt Passwords

Learn how bcrypt, scrypt, and other algorithms can securely hash passwords in Node. js. Use bcrypt or scrypt for password hashing. These algorithms are designed to be slow to hinder brute force attacks.

See Details ›

How many rounds to use bcrypt? ›

UPDATE: The RFC passed and 12 was chosen as the new default rounds in PHP 8.4! So… all of that to say we've increased the default bcrypt rounds from 10 to 12!

Find Out More ›

What is the best hashing algorithm for passwords? ›

While Argon2id should be the best choice for password hashing, scrypt should be used when the former is not available. Like Argon2id, scrypt has three different parameters that can be configured: the minimum CPU/memory cost parameter (N), the blocksize (r) and the degree of parallelism (p).

Tell Me More ›

Is bcrypt deprecated? ›

bcrypt-nodejs is deprecated and throws a warning on install #8903.

Show Me More ›

What is the fastest secure hash algorithm? ›

xxHash is an Extremely fast Hash algorithm, running at RAM speed limits. It successfully completes the SMHasher test suite which evaluates collision, dispersion and randomness qualities of hash functions.

Explore More ›

What is the strongest hash algorithm? ›

What's the Most Secure Hashing Algorithm? SHA-256. SHA-256 (secure hash algorithm) is an algorithm that takes an input of any length and uses it to create a 256-bit fixed-length hash value.

Is Argon2 better than bcrypt? ›

Argon2 is a great memory-hard password hashing algorithm, which makes it good for offline key derivation. But it requires more time, which, for web applications is less ideal. bcrypt can deliver hashing times under 1 second long, but does not include parameters like threads, CPU, or memory hardness.

Show Me More ›

What is the disadvantage of bcrypt? ›

Bcrypt is slower and requires some memory (4 kiB IIRC), so one spends 100ms to check a valid password whereas an attacker needs days / years to crack it because he's slowed down and can't use GPUs efficiently.

Read The Full Story ›

How long can a bcrypt password be hashed? ›

BCrypt hashed passwords and secrets have a 72 character limit. This is a limitation of the BCrypt algorithm and the Golang BCrypt library.

See Details ›

How much does bcrypt hashing cost? ›

Bcrypt uses a cost parameter that specify the number of cycles to use in the algorithm. Increasing this number the algorithm will spend more time to generate the hash output. The cost parameter is represented by an integer value between 4 to 31.

Get More Info Here ›

How to use bcrypt to encrypt password? ›

Bcrypt API

Type a password, click 'Generate Hash' and we'll show you the bcrypt'd hash.
Password.
Cost. Provide a number between 4 and 10 (higher or lower values not permitted).
Hash. ...
Generate Hash.

What is the difference between SHA256 and bcrypt? ›

The main difference between bcrypt and SHA256 is that bcrypt is created to calculate the hash as slowly as possible without hindering users, whereas SHA256 is designed to be computationally fast.

How to encrypt data that needs to be decrypted in node js? ›

First, the developers need to create a key from a hashing algorithm, and later on they need to create a random initialization number before encrypting the text. This enables the Node. js development company to use the Cipher class in order to develop an instance of cipher by utilizing the crypto.

View Details ›

How to decrypt data using bcrypt? ›

How to decrypt an encrypted password in Mendix app set to bcrypt? You cannot do this because: Passwords are hashed, not encrypted. Hashing is one way only, you cannot reverse it.