How to hash passwords in Node.js

Monday, November 17, 2025

#nodejs #security #passwords #bcrypt #hashing

Securely hashing passwords is fundamental for any Node.js application that handles user authentication, protecting user credentials from data breaches and unauthorized access. As the creator of CoreUI, a widely used open-source UI library, I’ve implemented password hashing in countless Node.js backend systems and enterprise applications. From my 25 years of experience in web development and 11 years with Node.js, the most secure and industry-standard approach is to use the bcrypt library with appropriate salt rounds. This method provides strong protection against rainbow table attacks and brute force attempts.

Use the bcrypt library with salt rounds to securely hash passwords before storing them in your database.

const bcrypt = require('bcrypt')

async function hashPassword(password) {
  const saltRounds = 12
  const hashedPassword = await bcrypt.hash(password, saltRounds)
  return hashedPassword
}

async function verifyPassword(password, hashedPassword) {
  const isValid = await bcrypt.compare(password, hashedPassword)
  return isValid
}

// Usage example
const userPassword = 'userSecretPassword'
const hashed = await hashPassword(userPassword)
console.log(hashed) // $2b$12$...

const isValid = await verifyPassword(userPassword, hashed)
console.log(isValid) // true

The bcrypt.hash() function takes the plain text password and salt rounds as parameters, returning a hashed string that includes the salt. Salt rounds determine the computational cost - 12 rounds provide excellent security for most applications. The bcrypt.compare() function safely compares a plain text password with a hashed password, automatically handling the salt extraction and comparison. Always use async/await or promises since bcrypt operations are computationally intensive.

This is the same secure password hashing approach we use in CoreUI backend systems and admin panel authentication. Never store plain text passwords or use simple hashing algorithms like MD5 or SHA1 without proper salting for password storage.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

About the Author

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.