DEV Community

GreenIntro
GreenIntro

Posted on

Do you use bcrypt or other 3rd-party npm packages when hashing user password?

Why are people using third party packages like bcrypt to hash user credentials instead of Node's own built-in classes and methods?

https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback

Reduce packages (and dependencies) by using Node's asynchronous scrypt method.

Well how does it work?

import { scrypt, randomBytes } from 'crypto';

const salt = randomBytes(32).toString('hex');
scrypt(password, salt, 32, async (err, derivedKey) => {
  const userToCreate = {
    password: derivedKey.toString('hex'),
    username: username,
    salt: salt,
  };
});
Enter fullscreen mode Exit fullscreen mode

The userToCreate will then contain the hashed password, as well as a random salt. In this example the hash and salt will still be different if two passwords are equal. That's exactly what we want!

Top comments (2)

Collapse
 
jankapunkt profile image
Jan Küster
Collapse
 
iamgreenintro profile image
GreenIntro

Please leave a comment on any thoughts you may have regarding using bcrypt as a separate package instead of a built-in functionality.