How to use the JavaScript bcrypt library
New Course Coming Soon:
Get Really Good at Git
Find out how to hash and check passwords in JavaScript with the bcrypt library
The bcrypt npm package is one of the most used packages to work with passwords in JavaScript.
This is security 101, but it’s worth mentioning for new developers: you never store a password in plain text in the database or in any other place. You just don’t.
What you do instead is, you generate a hash from the password, and you store that.
In this way:
import bcrypt from 'bcrypt'
// or
// const bcrypt = require('bcrypt')
const password = 'oe3im3io2r3o2'
const rounds = 10
bcrypt.hash(password, rounds, (err, hash) => {
if (err) {
console.error(err)
return
}
console.log(hash)
})
You pass a number as second argument and the bigger that is, the more secure the hash is. But also the longer it takes to generate it.
The library README tells us that on a 2GHz core we can generate:
rounds=8 : ~40 hashes/sec
rounds=9 : ~20 hashes/sec
rounds=10: ~10 hashes/sec
rounds=11: ~5 hashes/sec
rounds=12: 2-3 hashes/sec
rounds=13: ~1 sec/hash
rounds=14: ~1.5 sec/hash
rounds=15: ~3 sec/hash
rounds=25: ~1 hour/hash
rounds=31: 2-3 days/hash
If you run bcrypt.hash()
multiple times, the result will keep changing. This is key because there is no way to reconstruct the original password from a hash.
Given the same password and a hash it’s possible to find out if the hash was built from that password, using the bcrypt.compare()
function:
bcrypt.compare(password, hash, (err, res) => {
if (err) {
console.error(err)
return
}
console.log(res) //true or false
})
If so, the password matches the hash and for example we can let a user log in successfully.
You can use the bcrypt
library with its promise-based API too, instead of callbacks:
const hashPassword = async () => {
const hash = await bcrypt.hash(password, rounds)
console.log(hash)
console.log(await bcrypt.compare(password, hash))
}
hashPassword()
Check a couple examples in this Glitch:
Here is how can I help you:
- COURSES where I teach everything I know
- THE VALLEY OF CODE your web development manual
- BOOTCAMP 2024 cohort in progress, next edition in 2025
- BOOKS 16 coding ebooks you can download for free on JS Python C PHP and lots more
- SOLO LAB everything I know about running a lifestyle business as a solopreneur
- Interesting links collection
- Follow me on X