or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

index.md
tile.json

tessl/npm-bcrypt

A bcrypt library for NodeJS providing secure password hashing with salt generation, hashing, and comparison functions.

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
npmpkg:npm/bcrypt@6.0.x

To install, run

npx @tessl/cli install tessl/npm-bcrypt@6.0.0

index.mddocs/

bcrypt

bcrypt is a Node.js library that provides secure password hashing using the bcrypt algorithm. It offers both synchronous and asynchronous APIs for salt generation, password hashing, and password comparison, with full Promise support for modern async/await patterns.

Package Information

  • Package Name: bcrypt
  • Package Type: npm
  • Language: JavaScript
  • Installation: npm install bcrypt

Core Imports

const bcrypt = require("bcrypt");

ES modules:

import * as bcrypt from "bcrypt";

Basic Usage

const bcrypt = require("bcrypt");

async function hashPassword(plainPassword) {
  // Generate salt and hash password in one step
  const hash = await bcrypt.hash(plainPassword, 10);
  return hash;
}

async function verifyPassword(plainPassword, hash) {
  // Compare plain password with stored hash
  const isValid = await bcrypt.compare(plainPassword, hash);
  return isValid;
}

// Usage
(async () => {
  const hash = await hashPassword("mySecretPassword");
  console.log("Hash:", hash);
  
  const isValid = await verifyPassword("mySecretPassword", hash);
  console.log("Password valid:", isValid);
})();

Capabilities

Salt Generation

Generate cryptographic salts for use in password hashing.

/**
 * Generate a salt synchronously
 * @param {number} rounds - Number of rounds (default: 10)
 * @param {string} minor - bcrypt minor version 'a' or 'b' (default: 'b')
 * @returns {string} Generated salt
 * @throws {Error} If rounds is not a number or minor is not 'a' or 'b'
 */
function genSaltSync(rounds, minor);

/**
 * Generate a salt asynchronously
 * @param {number} rounds - Number of rounds (default: 10)
 * @param {string} minor - bcrypt minor version 'a' or 'b' (default: 'b')
 * @param {function} callback - Callback function (err, salt)
 * @returns {Promise<string>} Promise resolving to generated salt (if no callback)
 */
function genSalt(rounds, minor, callback);

Usage Examples:

// Synchronous salt generation
const salt = bcrypt.genSaltSync(12);
console.log(salt); // $2b$12$...

// Asynchronous with callback
bcrypt.genSalt(12, (err, salt) => {
  if (err) throw err;
  console.log(salt);
});

// Asynchronous with Promise
const salt = await bcrypt.genSalt(12);
console.log(salt);

// With specific bcrypt version
const saltA = bcrypt.genSaltSync(10, 'a'); // Uses $2a$
const saltB = bcrypt.genSaltSync(10, 'b'); // Uses $2b$

Password Hashing

Hash passwords using bcrypt algorithm with salt.

/**
 * Hash data using a salt synchronously
 * @param {string|Buffer} data - The data to encrypt
 * @param {string|number} salt - The salt to use or number of rounds
 * @returns {string} Hashed password
 * @throws {Error} If data/salt arguments are missing or invalid types
 */
function hashSync(data, salt);

/**
 * Hash data using a salt asynchronously
 * @param {string|Buffer} data - The data to encrypt
 * @param {string|number} salt - The salt to use or number of rounds
 * @param {function} callback - Callback function (err, hash)
 * @returns {Promise<string>} Promise resolving to hashed password (if no callback)
 */
function hash(data, salt, callback);

Usage Examples:

// Hash with existing salt (sync)
const salt = bcrypt.genSaltSync(10);
const hash = bcrypt.hashSync("myPassword", salt);

// Hash with rounds (sync) - generates salt automatically
const hash = bcrypt.hashSync("myPassword", 10);

// Hash with callback (async)
bcrypt.hash("myPassword", 10, (err, hash) => {
  if (err) throw err;
  console.log(hash);
});

// Hash with Promise (async)
const hash = await bcrypt.hash("myPassword", 10);

// Hash with Buffer input
const passwordBuffer = Buffer.from("myPassword", "utf8");
const hash = await bcrypt.hash(passwordBuffer, 10);

Password Comparison

Compare plain text passwords with hashed passwords.

/**
 * Compare raw data to hash synchronously
 * @param {string|Buffer} data - The data to hash and compare
 * @param {string} hash - Expected hash
 * @returns {boolean} true if hashed data matches hash
 * @throws {Error} If data/hash arguments are missing or invalid types
 */
function compareSync(data, hash);

/**
 * Compare raw data to hash asynchronously
 * @param {string|Buffer} data - The data to hash and compare
 * @param {string} hash - Expected hash
 * @param {function} callback - Callback function (err, matched)
 * @returns {Promise<boolean>} Promise resolving to comparison result (if no callback)
 */
function compare(data, hash, callback);

Usage Examples:

// Synchronous comparison
const isValid = bcrypt.compareSync("myPassword", storedHash);
console.log("Password valid:", isValid);

// Asynchronous with callback
bcrypt.compare("myPassword", storedHash, (err, isValid) => {
  if (err) throw err;
  console.log("Password valid:", isValid);
});

// Asynchronous with Promise
const isValid = await bcrypt.compare("myPassword", storedHash);

// Compare with Buffer input
const passwordBuffer = Buffer.from("myPassword", "utf8");
const isValid = await bcrypt.compare(passwordBuffer, storedHash);

Hash Analysis

Extract information from bcrypt hashes.

/**
 * Extract rounds from a hash
 * @param {string} hash - Hash to extract rounds from
 * @returns {number} The number of rounds used to encrypt the hash
 * @throws {Error} If hash argument is missing or not a string
 */
function getRounds(hash);

Usage Examples:

const hash = "$2b$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW";
const rounds = bcrypt.getRounds(hash);
console.log("Rounds used:", rounds); // 12

// Useful for checking hash strength
if (bcrypt.getRounds(existingHash) < 12) {
  console.log("Hash needs to be upgraded to higher rounds");
}

Error Handling

bcrypt functions throw or pass errors for various invalid input scenarios:

// Common error scenarios
try {
  bcrypt.genSaltSync("not a number"); // Throws: "rounds must be a number"
  bcrypt.genSaltSync(10, "c"); // Throws: "minor must be either 'a' or 'b'"
  bcrypt.hashSync(null, 10); // Throws: "data and salt arguments required"
  bcrypt.compareSync("test", null); // Throws: "data and hash arguments required"
  bcrypt.getRounds(123); // Throws: "hash must be a string"
} catch (error) {
  console.error("bcrypt error:", error.message);
}

// Async error handling with Promise
try {
  await bcrypt.hash("test", "invalid salt");
} catch (error) {
  console.error("Hash error:", error.message);
}

// Async error handling with callback
bcrypt.compare("test", "invalid hash", (err, result) => {
  if (err) {
    console.error("Compare error:", err.message);
    return;
  }
  console.log("Result:", result);
});

Security Considerations

Rounds Selection:

  • Default: 10 rounds (recommended minimum)
  • Higher rounds = more secure but slower computation
  • Consider 12+ rounds for high-security applications
  • Test performance in your environment

Salt Handling:

  • Never reuse salts across passwords
  • bcrypt generates cryptographically secure salts automatically
  • Salt is embedded in the hash output

Timing Attacks:

  • bcrypt comparison is designed to be constant-time
  • Always use bcrypt.compare() for verification, never string comparison

Version Compatibility:

  • Default 'b' version recommended for new applications
  • 'a' version available for legacy compatibility