Learn how to securely hash passwords in Node.js using bcrypt and crypto. Compare both approaches with code examples and best practices.
If you're building any application with user authentication, password security should be your top priority. One of the most critical steps is hashing passwords correctly.
In Node.js, developers commonly use two approaches:
bcrypt (recommended)crypto moduleBut which one should you use? And how do you implement them securely?
In this guide, youβll learn:
You can also experiment with hashing using this tool:
π https://www.mydevtoolhub.com/tools/hash-generator
Before jumping into code, letβs understand why hashing is necessary.
{
"email": "user@example.com",
"password": "mypassword123"
}
If your database is leaked β all passwords are exposed.
{
"email": "user@example.com",
"password": "$2b$10$Xyz..."
}
Now attackers cannot directly read passwords.
bcrypt is a library specifically designed for hashing passwords securely.
npm install bcrypt
const bcrypt = require('bcrypt');
async function hashPassword(password) {
const saltRounds = 10;
const hash = await bcrypt.hash(password, saltRounds);
return hash;
}
hashPassword('myPassword123').then(console.log);
const bcrypt = require('bcrypt');
async function verifyPassword(password, hash) {
const isMatch = await bcrypt.compare(password, hash);
return isMatch;
}
crypto is a built-in Node.js module for cryptographic operations.
It supports hashing algorithms like:
const crypto = require('crypto');
function hashPassword(password) {
return crypto
.createHash('sha256')
.update(password)
.digest('hex');
}
console.log(hashPassword('myPassword123'));
While crypto is powerful, using it directly for passwords is risky.
const crypto = require('crypto');
function hashPassword(password, salt) {
return crypto
.createHmac('sha256', salt)
.update(password)
.digest('hex');
}
Even with this, it's still not as secure as bcrypt.
| Feature | bcrypt | crypto (SHA-256) |
|---|---|---|
| Designed for Passwords | β Yes | β No |
| Salting | β Built-in | β Manual |
| Speed | Slow (secure) | Fast (risky) |
| Brute Force Protection | Strong | Weak |
| Ease of Use | Easy | Medium |
Use bcrypt when:
Use crypto when:
β Using crypto (bad example):
β Using bcrypt:
Never use MD5 or plain SHA-256.
Typical value: 10β12
Protect passwords during transmission.
Prevent brute force attacks.
bcrypt is intentionally slow.
To make brute-force attacks expensive.
Example:
Use this tool to understand hashing behavior:
π https://www.mydevtoolhub.com/tools/hash-generator
Always use async bcrypt functions in production.
await bcrypt.hash(password, 10);
Yes, for password hashing.
Not recommended alone.
Random data added automatically.
10β12 is standard.
Yes, intentionally for security.
Yes, but not for password hashing.
If you're building authentication systems, always choose bcrypt.
Password security is not optionalβitβs essential.
Using the wrong hashing method can expose millions of users.
Start experimenting with hashing using:
π https://www.mydevtoolhub.com/tools/hash-generator
Master bcrypt and secure coding practices to build safe and scalable applications.
Learn how to handle special characters, Unicode, emojis, and spaces in URL encoding with real examples and edge-case fixes.
Learn how to debug URL encoding issues in production using logs, network tools, and advanced developer techniques.
Master URL encoding with real-world examples including forms, search queries, APIs, and redirects. A practical guide for developers.