How to Hash a Password Properly in Node.js

Never store passwords as plain text or even SHA-256. Use bcrypt.

Install bcrypt

npm install bcrypt

Hash a Password

const bcrypt = require('bcrypt');
const password = 'userPassword123';
const hash = await bcrypt.hash(password, 10); // 10 = salt rounds
// Store hash in database

Verify a Password

const isMatch = await bcrypt.compare('userPassword123', hash);
// true if correct

Why bcrypt?

• Deliberately slow — prevents brute-force attacks
• Built-in salt — prevents rainbow table attacks
• Adjustable cost — increase rounds as hardware gets faster

Never Use These for Passwords

• ❌ MD5 — broken, too fast
• ❌ SHA-256 — too fast for passwords
• ❌ Plain text — obviously

Related

• Hash Generator
• Password Generator
• SHA-256 vs MD5