Jul 01 2009

A Basic Lesson in Password Hashing

Update: May 11, 2014.

It’s quite easy now to hash passwords safely. Just use bcrypt or scrypt. scrypt is likely to be more secure, but as it’s also newer, it’s had less time for people to find weaknesses.

Example hashing with bcrypt:

var bcrypt = require('bcrypt');
bcrypt.hash(password, bcrypt.genSaltSync(12), function(err, hash) {
    // hash is the hashed text, store it in db

And then when a user logs in, you can compare it like this:

var bcrypt = require('bcrypt');
bcrypt.compare(password, hash, function(err, isMatch) {
    // isMatch is a boolean if the password matches
  • #security
  • #nodejs
  • #bcrypt
  • #scrypt