Hashing and comparing hashed passwords with bcryptjs (synchronous method)

Introduction

Your passwords are not stored as plain text on any website you've signed up for. The reason for this is that if someone gets access to the database, they will find it difficult to know the passwords of any account they have seen on the database.

Hashing is the process of converting plain text into another value. The hash generated can be compared with the plain text, but, when plain text is hashed it can't be converted back to plain text. Also, a good hashing algorithm is supposed to generate unique hashes even if the same plain is hashed. This means if I hash a word like "comfortable" twice, for example, it should generate unique values each time I hash it.

What is bcryptjs?

Bcryptjs is a library that can be used to hash passwords before storing and also comparing plain text passwords with hashed passwords to see if they match.

Setup bcryptjs

Create a folder, name it "bcrypt-tutorial", inside the folder, open a terminal and type "npm init -y" to create a project, then type "touch index.js" to create an index.js file to be used to write our code. After this, you open "bcrypt-tutorial" with your favorite code editor, in this article I'll use VS Code.

Then, you install bcryptjs by using the command

npm install bcryptjs

So far, you've created a folder for the project, created a project so that your dependencies can be managed from within the folder and you've installed "bcryptjs", well done.

How to hash a password

Let's say the password we want to hash is "comfortable".

Inside the index.js file you created after requiring/importing bcryptjs, type the following:

const bcrypt = require("bcryptjs");

const password = "comfortable";

const salt = bcrypt.genSaltSync(10);

const hashedPassword = bcrypt.hashSync(password, salt);

console.log(hashedPassword);

Let me explain the lines of code we have written so far:

const bcrypt = require("bcryptjs");

This line of code imports the bcryptjs package to be used inside the indes.js file.

const password = "comfortable";

The password we want to hash.

const salt = bcrypt.genSaltSync(10);

This is the salt generated to be used to hash the plain password. A hash salt can be defined as the cost factor for the hash function - incrementing it by one will double the time taken to calculate the hash. The "10" passed as an argument means the hash function will take 10 times the time to calculate the hash.

const hashedPassword = bcrypt.hashSync(password, salt);

This line of code actually hashes the password using the salt generated using "bcrypt.genSaltSynce()".

console.log(hashedPassword);

This line of code shows the result of hashing the password.

This is the result i got $2a$10$qADzCMgxKJjE7gLNdh0M6.cWWYyyDDHUCQWMAXdk87pFuOrkCSpQO

Up next, I guess you will want to know how to compare the hashed password with the plain password, let's see how to do that.

How to compare a plain password with a hashed password.

Let's say you want to compare the original password (which is "comfortable") with the hashed password to see if they match, here is how to do it.

const bcrypt = require("bcryptjs");

const password = "comfortable";

// The value of the he password I hashed
// Your's will be different
const hashedPassword = "$2a$10$qADzCMgxKJjE7gLNdh0M6.cWWYyyDDHUCQWMAXdk87pFuOrkCSpQO";

const passwordsMatch = bcrypt.compareSync(password, hashedPassword);

console.log(passwordsMatch);

if(passwordsMatch) {
    console.log("Passwords match");
} else {
    console.log("Passwords don't match");
}

Let me explain what we've written so far.

const hashedPassword = "...";

The value of the password that was hashed.

const passwordsMatch = bcrypt.compareSync(password, hashedPassword);

We use this line of code to compare the plain password with the hashed password to see if they match. This will return a Boolean of true if the passwords match and false if the passwords don't match.

if(passwordsMatch) { console.log("Passwords match"); } else { console.log("Passwords don't match"); } This line of code takes the Boolean value stored as passwordsMatch and uses it to print a message to the user if the passwords match or not.

The result I got:

true
Passwords match

Conclusion

This method can be used when setting up a registration route on your server. Before saving any user's password, always make sure you hash it.