Do you use bcrypt or other 3rd-party npm packages when hashing user password?

Why are people using third party packages like bcrypt to hash user credentials instead of Node's own built-in classes and methods?

https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback

Reduce packages (and dependencies) by using Node's asynchronous scrypt method.

Well how does it work?

import { scrypt, randomBytes } from 'crypto';

const salt = randomBytes(32).toString('hex');
scrypt(password, salt, 32, async (err, derivedKey) => {
  const userToCreate = {
    password: derivedKey.toString('hex'),
    username: username,
    salt: salt,
  };
});

The userToCreate will then contain the hashed password, as well as a random salt. In this example the hash and salt will still be different if two passwords are equal. That's exactly what we want!

Comments

[Jan Küster]

Mostly due to this: security.stackexchange.com/questio...

[GreenIntro]

Please leave a comment on any thoughts you may have regarding using bcrypt as a separate package instead of a built-in functionality.