Skip to main content

bcrypt Hashing in JavaScript: bcryptjs Guide

Hash passwords with bcrypt in JavaScript using bcryptjs or bcrypt npm packages. Includes async hashing, verification examples, and cost factor guidance.

bcrypt is a password hashing function designed to be computationally expensive, making brute-force attacks impractical even on modern hardware. In JavaScript, the bcryptjs library provides a pure JavaScript implementation that works in both Node.js and the browser. For server-side Node.js, bcrypt (with native bindings) is also available and faster. This guide covers both.

How to Use the bcrypt Generator Tool

  1. Enter a password or string — Type the value you want to hash into the input field.
  2. Set the cost factor — Choose a work factor (rounds). Higher values are slower and more secure; 12 is a good default for most applications.
  3. Generate the hash — The tool produces a bcrypt hash string starting with $2b$.
  4. Copy and store it — Store this hash in your database. Never store the original password.

bcrypt with bcryptjs in Node.js

// Install: npm install bcryptjs
const bcrypt = require('bcryptjs');

async function hashPassword(password) {
  const saltRounds = 12;
  const hash = await bcrypt.hash(password, saltRounds);
  return hash;
  // Returns: $2b$12$...60 character hash string...
}

async function verifyPassword(password, hash) {
  const match = await bcrypt.compare(password, hash);
  return match; // true or false
}

// Usage
hashPassword('mySecretPassword').then(hash => {
  console.log(hash);
  verifyPassword('mySecretPassword', hash).then(console.log); // true
});

bcrypt with bcrypt (native) in Node.js

// Install: npm install bcrypt
const bcrypt = require('bcrypt');

// Synchronous (avoid in production for high-traffic routes)
const hash = bcrypt.hashSync('myPassword', 12);
const match = bcrypt.compareSync('myPassword', hash);

// Async (preferred)
const hash = await bcrypt.hash('myPassword', 12);
const match = await bcrypt.compare('myPassword', hash);

Why Use bcrypt for Password Hashing?

  • Built-in salting — bcrypt automatically generates and embeds a unique salt in each hash, preventing rainbow table attacks even if two users have the same password.
  • Adjustable work factor — As hardware gets faster, you increase the cost factor to maintain resistance against brute force.
  • Industry standard — bcrypt has been the recommended password hashing function since 1999 and is still considered safe for most applications today.
  • Self-verifying hash format — The bcrypt hash string contains the algorithm, cost factor, and salt — all you need is the original password and the hash to verify.

Choosing the Right Cost Factor

The cost factor (rounds) controls how many iterations bcrypt performs. Each increment doubles the hashing time. At rounds=10, hashing takes roughly 100ms on typical hardware; at rounds=12, roughly 400ms. For web applications, target 200–500ms for login operations — slow enough to deter attackers, fast enough that users don't notice. Never go below 10 in production.

Test bcrypt hashes with the bcrypt Generator to experiment with cost factors before writing your Node.js code.