The Palos Publishing Company

Follow Us On The X Platform @PalosPublishing
Categories We Write About

Hash passwords with bcrypt

Written by

Bernardo Palos

in

Hashing passwords with bcrypt is a common practice to ensure that stored passwords are secure. bcrypt is a one-way hashing algorithm that incorporates a salt to defend against rainbow table attacks and makes the process computationally intensive to resist brute force attacks.

Here’s a step-by-step guide to hash passwords with bcrypt in Node.js using the bcrypt library.

1. Install bcrypt

First, install the bcrypt package using npm or yarn:

bash
npm install bcrypt

Or, if you’re using Yarn:

bash
yarn add bcrypt

2. Hashing a Password

To hash a password with bcrypt, you can use the bcrypt.hash() method. Here is an example of how to hash a password:

javascript
const bcrypt = require('bcrypt');

const password = 'userpassword123'; // Password to hash

// Number of salt rounds to make the hash more secure
const saltRounds = 10;

bcrypt.hash(password, saltRounds, function(err, hashedPassword) {
  if (err) {
    console.error('Error hashing password: ', err);
  } else {
    console.log('Hashed Password: ', hashedPassword);
  }
});

3. Verifying a Password

To verify if the user’s entered password matches the stored hashed password, you use bcrypt.compare(). This method compares the plain-text password with the hashed one and returns a boolean indicating whether they match.

Here’s an example:

javascript
const bcrypt = require('bcrypt');

const storedHashedPassword = '$2b$10$D1qkKZgPe3h.nqqhtH95R.mzp0twBdR2I3TGBNQ16ghQqKAwf9kOa'; // Example hashed password from database
const enteredPassword = 'userpassword123'; // Password entered by the user

bcrypt.compare(enteredPassword, storedHashedPassword, function(err, result) {
  if (err) {
    console.error('Error comparing passwords: ', err);
  } else if (result) {
    console.log('Passwords match!');
  } else {
    console.log('Passwords do not match.');
  }
});

Explanation:

  • bcrypt.hash(): This method generates a salt and hashes the password with it. The number of salt rounds determines how computationally expensive the hashing process is. Higher salt rounds increase security but also add to the time it takes to hash the password.

  • bcrypt.compare(): This method is used to check if the entered password, when hashed, matches the stored hashed password.

4. Salt Rounds

The saltRounds value defines how many rounds of salting to apply to the password. The higher the number, the more secure the hash will be, but it will take longer to compute. A typical value is between 10 and 12 salt rounds for a good balance of security and performance.

5. Storing the Hashed Password

You can store the result of bcrypt.hash() in your database. Typically, the result will look something like this:

perl
$2b$10$D1qkKZgPe3h.nqqhtH95R.mzp0twBdR2I3TGBNQ16ghQqKAwf9kOa

This string contains the version of bcrypt, the salt rounds, the salt, and the hashed password. You don’t need to worry about breaking it down manually; bcrypt handles everything internally.

Conclusion

By using bcrypt to hash passwords, you’re protecting user data by ensuring that even if someone gains access to your database, they won’t have access to the actual passwords. This method of hashing is highly recommended for modern web applications.

Share this Page your favorite way: Click any app below to share.
See all the ways to share this page

Enter your email below to join The Palos Publishing Company Email List

We respect your email privacy

Check Out Our Newest Posts we wrote about

Categories We Write About