DEV Community

Cover image for How to hash passwords before saving it on database in Node.js
Jahongir Sobirov
Jahongir Sobirov

Posted on

How to hash passwords before saving it on database in Node.js

#beginners #node #security #tutorial

Hashing password plays crucial role on security of systems and networks. So in this post we'll learn how to hash passwords before saving it on database using Node.js. For this we need a authentication library named auth-verify

npm install auth-verify
Enter fullscreen mode Exit fullscreen mode

Making the configuration

For hashing the password we should make correct configuration:

const AuthVerify = require('auth-verify');
const auth = new AuthVerfiy({
  hashAlg: 'pbkdf2', // or 'scrypt'
  iterations: 100000,
  keyLen: 64
});
Enter fullscreen mode Exit fullscreen mode

πŸ” hashAlg: 'pbkdf2'

This chooses the hashing algorithm.

pbkdf2

  • Stands for Password-Based Key Derivation Function 2
  • Built into Node.js crypto
  • Designed specifically for passwords

  • Uses:

    • password
    • salt
    • iterations (many rounds)
      • βœ”οΈ Secure

  • βœ”οΈ Battle-tested

  • βœ”οΈ Slower on purpose (good against brute-force)

scrypt (alternative)

  • Even more memory-hard
  • Stronger against GPU attacks
  • Slightly heavier on the server
πŸ‘‰ Rule of thumb:
  • pbkdf2 β†’ safe, standard, widely used
  • scrypt β†’ stronger, modern, more expensive

πŸ” iterations: 100000

This is how many times the hash function runs.
Think of it like this:

Instead of hashing once, hash 100,000 times

Why?

  • Makes attacks VERY slow
  • If an attacker tries millions of passwords β†’ πŸ’€ CPU melts Example:
  • 1 iteration β†’ ⚠️ weak
  • 10,000 β†’ okay

  • 100,000 β†’ good (production-level)

  • βœ”οΈ More iterations = more security

  • ❌ Too many = slower login

πŸ‘‰ 100_000 is a great balance

πŸ”‘ keyLen: 64

This is the length of the final hash (in bytes).

  • 64 bytes = 512 bits
  • Longer hash = harder to crack
  • Stored in DB as hex/base64

Example:

password β†’ pbkdf2 β†’ 64-byte hash
Enter fullscreen mode Exit fullscreen mode
  • βœ”οΈ 32 bytes β†’ ok
  • βœ”οΈ 64 bytes β†’ strong

Hashing the password 

auth.crypto.hash("myPassword123", (err, result)=> {
  if(err) console.log(err);
  console.log(result);
});
Enter fullscreen mode Exit fullscreen mode

Verifying the password 

auth.crypto.verify("secret123", result, (err, valid)=> {
   if(err) console.log(err);
   console.log(valid) // true
});
Enter fullscreen mode Exit fullscreen mode

Full example 

const AuthVerify = require('auth-verify');
const auth = new AuthVerfiy({
  hashAlg: 'pbkdf2', // or 'scrypt'
  iterations: 100000,
  keyLen: 64
});

auth.crypto.hash("myPassword123", (err, result)=> {
  if(err) console.log(err);
  console.log(result);
  auth.crypto.verify("secret123", result, (err, valid)=> {
     if(err) console.log(err);
     console.log(valid) // false
  });
});
Enter fullscreen mode Exit fullscreen mode

Top comments (2)

Collapse
 
nathanjohnnj profile image
Nathan John

When you use "secret123" to verify the hashed result, how does the initial hashing command know that that secret will be used for verifying? Does the initial command not need to know the secret as well?

Collapse
 
jahongir2007 profile image
Jahongir Sobirov

The hash doesn’t need to know the password in advance β€” during verification, the entered password is hashed again with the same salt and configuration, and the two hashes are compared.