DEV Community: GreenIntro The latest articles on DEV Community by GreenIntro (@iamgreenintro). https://dev.to/iamgreenintro https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1277583%2Fe660896d-350f-4b26-8f5a-92593157e14e.png DEV Community: GreenIntro https://dev.to/iamgreenintro en Do you use bcrypt or other 3rd-party npm packages when hashing user password? GreenIntro Sat, 10 Feb 2024 14:02:17 +0000 https://dev.to/iamgreenintro/do-you-use-bcrypt-or-other-3rd-party-npm-packages-when-hashing-user-password-49bi https://dev.to/iamgreenintro/do-you-use-bcrypt-or-other-3rd-party-npm-packages-when-hashing-user-password-49bi <p>Why are people using third party packages like bcrypt to hash user credentials instead of Node's own built-in classes and methods?</p> <p><a href="https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback">https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback</a></p> <p>Reduce packages (and dependencies) by using Node's asynchronous <code>scrypt</code> method.</p> <p>Well how does it work?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">scrypt</span><span class="p">,</span> <span class="nx">randomBytes</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="nf">scrypt</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">derivedKey</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userToCreate</span> <span class="o">=</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="nx">derivedKey</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">),</span> <span class="na">username</span><span class="p">:</span> <span class="nx">username</span><span class="p">,</span> <span class="na">salt</span><span class="p">:</span> <span class="nx">salt</span><span class="p">,</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <p>The <code>userToCreate</code> will then contain the hashed password, as well as a random salt. In this example the hash and salt will still be different if two passwords are equal. That's exactly what we want!</p> javascript node authentication webdev