How to Store Passwords Securely in Node.js (Hashing & Salting)

Hey there! 👋

If you're building a website or app that lets users create accounts, you need to store their passwords. But here’s the deal: you should never store passwords as plain text. That’s like writing them on a sticky note and leaving it on your desk, anyone can see them if they get access.

In this post, I’ll explain how to store passwords the right way using hashing and salting. Don’t worry, I’ll keep things simple and show you some real code examples too.

Why You Should Never Store Plain Text Passwords

Let’s say someone signs up with the password mypassword123.

If you save that directly in the database, anyone who accesses it - hackers, rogue employees, even you can see their password.

And if you think, “Well, I trust my database,” think again. Data breaches happen all the time, and if your users reuse passwords (which most people do), you're putting them at risk on other sites too.

So what’s the solution?

Step 1: Use Hashing

A hash is like a fingerprint for data. It turns a password into a long string of letters and numbers that can’t be reversed.

For example, the password mypassword123 might become:

8a59a3b2ac876bbac0d21ef5ce7a2bbf

The cool thing is: no matter how many times you hash the same password, you always get the same result. But once it's hashed, you can't turn it back into the original password.

Using bcrypt in Node.js

There are many hashing algorithms out there, but one of the safest and most common for passwords is bcrypt.

Here’s a quick example:

const bcrypt = require('bcrypt');

const password = 'mypassword123';
const saltRounds = 10;

bcrypt.hash(password, saltRounds, function(err, hash) {
  // Store this 'hash' in your database
});

This is way better than storing the password directly. But we're not done yet.

Step 2: Add Salting for Extra Protection

Even with hashing, there’s a problem: if two users use the same password, they’ll get the same hash.

That’s where salting comes in.

A salt is a random string added to the password before hashing. It makes each hash unique, even if two users choose the same password.

Luckily, bcrypt handles this for you. When you set saltRounds = 10, it creates a random salt for each password automatically. So you don’t need to manage it manually.

How to Verify a Password Later

When the user logs in, you need to check if their password matches the hashed one stored in the database.

Here’s how:

const bcrypt = require('bcrypt');

const inputPassword = 'mypassword123';
const storedHash = getPasswordFromDatabase(); // the hashed one

bcrypt.compare(inputPassword, storedHash, function(err, result) {
  if (result) {
    // Password is correct
  } else {
    // Password is wrong
  }
});

No need to decrypt anything, just compare the password to the stored hash. bcrypt handles the salt and everything else for you.

Common Mistakes to Avoid

• ❌ Storing plain text passwords
• ❌ Using old or broken hashing algorithms like MD5 or SHA1
• ❌ Skipping salting
• ❌ Writing your own hashing logic from scratch

Please don’t try to reinvent the wheel when it comes to password security. Use proven libraries like bcrypt, Argon2, or scrypt. They're battle-tested and built for this exact purpose.

Final Thoughts

If you’re collecting passwords, you have a responsibility to keep them safe. Hashing and salting are your first line of defense.

Always hash passwords before storing them. Always use a salt (or let a library like bcrypt handle it). Never store passwords in plain text, not even during testing.

Thanks for reading! If this helped you or you know someone who’s new to backend development, feel free to share it.

And hey, double-check your user registration code today, your future users will thank you.