Password Hashing with bcrypt

Node js 9 min min read Updated: Mar 30, 2026 Intermediate
Progress 7 / 10
📑 Table of Contents
Basics
Express & APIs
Database & Authentication
Advanced & Scaling
DevOps & Deployment
🎓 Want Live Training?

Join our expert-led Node js Training live classes

Enroll Now
Password Hashing with bcrypt
Intermediate Topic 7 of 10

Password Hashing with bcrypt in Node.js

Password security is one of the most important parts of backend development. When users create accounts, their passwords should never be stored in plain text inside the database. Instead, passwords must be hashed before saving them.

Hashing converts a password into a fixed-length encrypted-looking string. This makes it much harder for attackers to recover the original password even if the database is leaked. In Node.js applications, bcrypt is one of the most commonly used libraries for secure password hashing.

Key Concept: bcrypt helps hash passwords securely before storing them, reducing the risk of exposing real passwords in case of a data breach.

What is bcrypt?

bcrypt is a password-hashing library designed specifically for securely storing passwords. It adds a salt automatically and applies multiple rounds of hashing, making the password harder to crack.

Unlike simple encryption or plain hashing, bcrypt is slow by design, which is actually a security advantage. It makes brute-force attacks much more difficult.

Why Plain Text Passwords Are Dangerous

If passwords are stored exactly as users type them, anyone with database access can read them immediately. This is extremely dangerous because many users reuse the same password across multiple platforms.

For example, storing this in the database is unsafe:

json { "email": "rahul@example.com", "password": "mypassword123" }

Instead, the password should be hashed before storage.

Installing bcrypt

To use bcrypt in a Node.js application, install it with npm:

bash npm install bcrypt

Hashing a Password

bcrypt provides the hash() method to convert a password into a hashed value.

javascript const bcrypt = require("bcrypt"); const password = "mypassword123"; const saltRounds = 10; bcrypt.hash(password, saltRounds, (err, hash) => { if (err) throw err; console.log(hash); });

In this example:

  • password is the original user password
  • saltRounds defines the hashing complexity
  • hash is the secured password that will be stored in the database

What is Salt in bcrypt?

A salt is random data added to the password before hashing. This ensures that even if two users have the same password, their stored hashes will still look different.

bcrypt automatically generates and uses a salt, which is one of the reasons it is considered secure.

Comparing Passwords During Login

During login, you should not compare the plain password directly with the stored hash. Instead, use bcrypt.compare().

javascript const bcrypt = require("bcrypt"); const enteredPassword = "mypassword123"; const storedHash = "$2b$10$examplehashedvalue"; bcrypt.compare(enteredPassword, storedHash, (err, result) => { if (err) throw err; if (result) { console.log("Password matched"); } else { console.log("Invalid password"); } });

Here:

  • enteredPassword is what the user typed during login
  • storedHash is the hashed password stored in the database
  • result returns true if the password matches

Using bcrypt with async/await

In modern Node.js applications, async/await is often preferred because it makes the code cleaner and easier to read.

javascript const bcrypt = require("bcrypt"); async function hashPassword() { const password = "mypassword123"; const hash = await bcrypt.hash(password, 10); console.log(hash); } hashPassword();

Compare Example with async/await

javascript async function checkPassword() { const password = "mypassword123"; const hash = await bcrypt.hash(password, 10); const isMatch = await bcrypt.compare(password, hash); console.log(isMatch); } checkPassword();

Using bcrypt in User Registration

In a real-world registration API, you should hash the password before saving the user:

javascript app.post("/register", async (req, res) => { try { const { name, email, password } = req.body; const hashedPassword = await bcrypt.hash(password, 10); const user = { name, email, password: hashedPassword }; res.json({ message: "User registered successfully", user }); } catch (error) { res.status(500).json({ error: error.message }); } });

In an actual application, this user object would be saved in MongoDB or another database.

Using bcrypt in Login API

During login, compare the entered password with the stored hash:

javascript app.post("/login", async (req, res) => { try { const { email, password } = req.body; const user = { email: "rahul@example.com", password: "$2b$10$examplehashedvalue" }; const isMatch = await bcrypt.compare(password, user.password); if (!isMatch) { return res.status(400).json({ message: "Invalid credentials" }); } res.json({ message: "Login successful" }); } catch (error) { res.status(500).json({ error: error.message }); } });

How Many Salt Rounds Should You Use?

The number of salt rounds affects both security and performance.

  • 8 rounds: Faster, lower security
  • 10 rounds: Common balance between speed and security
  • 12+ rounds: More secure, but slower

For many applications, 10 is a practical default.

Best Practices for Password Security

  • Always hash passwords before storing them
  • Never store plain text passwords
  • Use bcrypt or another strong password hashing library
  • Use proper input validation for passwords
  • Combine password hashing with JWT or session authentication
  • Store secrets and config in environment variables

Common Mistakes

  • Saving raw passwords directly in the database
  • Trying to “decrypt” bcrypt hashes later
  • Using very low salt rounds for production apps
  • Comparing hashed and plain text passwords directly

bcrypt vs Encryption

Password hashing and encryption are not the same.

Feature Hashing Encryption
Reversible No Yes
Purpose Password storage Protect data for later use
Best For User passwords Sensitive readable data

Real-World Use Cases

  • User registration systems
  • Login authentication flows
  • Admin panel access
  • Secure backend APIs

Conclusion

Password hashing with bcrypt is a must-have security practice in backend development. It protects user credentials and reduces the risk of serious damage if database data is exposed.

If you are building authentication systems in Node.js, learning bcrypt is essential. It works best when combined with proper validation, JWT authentication, and strong application security practices.

Quick Summary: bcrypt securely hashes passwords before storage, making user authentication safer and protecting credentials from direct exposure.
Authentication with JWT Refresh Tokens

Get Newsletter

Subscibe to our newsletter and we will notify you about the newest updates on Edugators

CONTACT

info.edugators@gmail.com

COMPANY

PROGRAMS

 

 

TRENDING COURSES

© 2020 - 2026 Edugators. All rights Reserved.