Last Updated: February 23, 2017
·
58.66K
· dyashkir

Correct way to store passwords in Node.js

Use bcrypt, why?
http://codahale.com/how-to-safely-store-a-password/

ncb000gt created an awesome module to do just that!

https://github.com/ncb000gt/node.bcrypt.js/

bcrypt.hash('password', 5, function( err, bcryptedPassword) {
   //save to db
});

//to compare password that user supplies in the future
var hash = getFromDB(..);
bcrypt.compare(userSuppliedPassword, hash, function(err, doesMatch){
  if (doesMatch){
     //log him in
  }else{
     //go away
  }
 });

Huge props to ncb000gt (Nick Campbell) for making this awesome module

3 Responses
Add your response

Is this better or worse than hashing the password on the client? (Say with something like: http://crypto.stanford.edu/sjcl/)

over 1 year ago ·

They are different things bcrypt work factor prevents brute forcing the passwords stored on the server. When someone breaks into your system they will not be able to run a brute force and crack all the passwords of your users, since people tend to use same passwords all over the place this is very useful. Passwords are also salted. First link explains it better then I can

over 1 year ago ·

Great tip. Thanks for sharing.

I would recommend using the default 10 rounds when "salting", bcrypt.hash('password', 10, func ...

over 1 year ago ·