Password hashing is one of the most common tasks in a web application. Hashing generally maps data of any size to a fixed-length string by using a secure algorithm. It's a one-way function that makes it suitable for authentication.

In an earlier article, I wrote about how to encrypt and decrypt strings, numbers, buffers, streams, etc. by using the Node.js built-in crypto module. Today, you'll learn to use another Node.js open-source library called bcrypt for hashing passwords.

The bcrypt library makes it fun to hash and compare passwords in a Node.js application.


To use the bcrypt library in a Node.js application, run the following command in your terminal to install it via NPM:

$ npm install bcrypt --save

Now, you can include it in your application:

const bcrypt = require('bcrypt')

Hashing a password

Bcrypt provides both asynchronous and synchronous password hashing methods. The asynchronous mode is recommended because hashing is a CPU-intensive task.

The synchronous approach will block the event loop and prevent your application from handling any other incoming requests or events. The asynchronous version uses a thread pool that does not stop the main event loop.

Asynchronous Hashing

The bcrypt.hash() function takes the plain password and salt as input and returns a hashed string. Let us write a simple function:

const hashPassword = async (password, saltRounds = 10) => {
  try {
    // Generate a salt
    const salt = await bcrypt.genSalt(saltRounds)

    // Hash password
    return await bcrypt.hash(password, salt)
  } catch (error) {

  // Return null if error
  return null

As you can see above, we first generated a salt with bcrypt.genSalt() and later invoked the bcrypt.hash() method to create a hashed string.

The first step is optional. You can directly pass the number of salt rounds to the bcrypt.hash() method to achieve the same end result:

const hash = await bcrypt.hash(password, saltRounds)

Now, whenever required, just call the above method to hash a password and store it in a database:

;(async () => {
  const hash = await hashPassword('123456')
  // $2b$10$5ysgXZUJi7MkJWhEhFcZTObGe18G1G.0rnXkewEtXq6ebVx1qpjYW

  // TODO: store hash in a database

Bcrypt also supports traditional callbacks and JavaScript promises. I prefer to use async-await syntax because it is clean and easier to understand.

Synchronous Hashing

If you prefer to use the synchronous approach instead, just use the following code:

// Generate Salt
const salt = bcrypt.genSaltSync(10)

// Hash Password
const hash = bcrypt.hashSync('123456', salt)

// $2b$10$Wdj1lOudt3JXEc6TBI2C6.Wafuv33FRdv9jRd9qtVdPYWmKmbtiTm

You can also auto-generate the salt and hash the password in the same function call:

const hash = bcrypt.hashSync('123456', 10)

Salt Rounds

The saltRounds parameter is critical when you hash a password with Bcrypt. It defines the number of rounds the library should go through to give you a secure hash. Bcrypt also uses this value to go through 2^rounds processing iterations.

The higher the salt rounds, the more time it will take to generate a secure hash. On a typical 2GHz core, you can roughly expect:

rounds=8 : ~40 hashes/sec
rounds=9 : ~20 hashes/sec
rounds=10: ~10 hashes/sec
rounds=11: ~5  hashes/sec
rounds=12: 2-3 hashes/sec
rounds=13: ~1 sec/hash
rounds=14: ~1.5 sec/hash
rounds=15: ~3 sec/hash
rounds=25: ~1 hour/hash
rounds=31: 2-3 days/hash

Comparing passwords

Now, if you want to compare the password entered by the user with the previously stored hashed password, just use the method. Let us write a function that verifies if the password entered by the user is valid or not:

const comparePassword = async (password, hash) => {
  try {
    // Compare password
    return await, hash)
  } catch (error) {

  // Return false if error
  return false

The following example demonstrates how you can call the above method to validate a password entered by the user:

;(async () => {
  // Hash fetched from DB
  const hash = `$2b$10$5ysgXZUJi7MkJWhEhFcZTObGe18G1G.0rnXkewEtXq6ebVx1qpjYW`

  // Check if the password is correct
  const isValidPass = await comparePassword('123456', hash)

  // Print validation status
  console.log(`Password is ${!isValidPass ? 'not' : ''} valid!`)
  // => Password is valid!

Bcrypt also provides the compareSync() method to perform the comparison synchronously:

const isValidPass = bcrypt.compareSync(password, hash)


That's all about hashing passwords using Bcrypt in a Node.js application. You've just learned how to hash and verify passwords with Node.js and Bcrypt.

Take a look at Bcrypt docs to learn more about all the available options and API methods.

✌️ Like this article? Follow me on Twitter and LinkedIn. You can also subscribe to RSS Feed.