What is Salt in Hashing? (with Node.js + bcrypt Example)

Node.jsBackendAuthentication & SecurityWeb DevelopmentJavaScriptPassword Security

September 10, 2025

Banner

What is Salt in Hashing? (with Node.js + bcrypt Example)

When we store passwords in a database, we never store them as plain text. Instead, we hash them. But even hashing alone is not enough to keep passwords secure. Thatโ€™s where salt comes in.

๐Ÿ”‘ What is Salt in Hashing?

  • Hashing: A one-way function that converts plain text into a fixed-length string. Example:

    • "mypassword" โ†’ "5f4dcc3b5aa765d61d8327deb882cf99"

  • Problem without salt: Attackers can use rainbow tables (precomputed hashes of common passwords) to quickly guess the original password.

  • Salt: A random string added to the password before hashing. This ensures that even if two users have the same password, their hashes will be different.

๐Ÿ‘‰ Example:

  • Without salt: "mypassword" โ†’ "hash123"
  • With salt: "mypassword+randomSalt123" โ†’ "hashXYZ"

So, salt makes the hash unique and much harder for attackers to crack.

๐Ÿ› ๏ธ Implementing Salt + Hashing in Node.js using "bcrypt"

Weโ€™ll use the "bcrypt" library in Node.js. It automatically handles salt generation and password hashing for us.

Step 1: Install bcrypt

npm install bcrypt

Step 2: Hash a Password

import bcrypt from "bcrypt";

// Number of salt rounds (higher = more secure, but slower)
const saltRounds = 10;

async function hashPassword(password) {
  const hashedPassword = await bcrypt.hash(password, saltRounds);
  console.log("Hashed Password:", hashedPassword);
  return hashedPassword;
}

hashPassword("mypassword123");

๐Ÿ‘‰ Output will look like:

$2b$10$CwTycUXWue0Thq9StjUM0uZBZrYdOV9YtQ0eFh6XuhhUIa0G1PZby

Step 3: Verify a Password

When a user logs in, we need to compare their entered password with the hashed one in the database.

async function verifyPassword(password, hashedPassword) {
  const match = await bcrypt.compare(password, hashedPassword);

  if (match) {
    console.log("โœ… Password is correct!");
  } else {
    console.log("โŒ Password is incorrect!");
  }
}

async function demo() {
  const hashed = await hashPassword("mypassword123");

  await verifyPassword("mypassword123", hashed); // โœ… Correct
  await verifyPassword("wrongpassword", hashed); // โŒ Incorrect
}

demo();

๐Ÿ“– Step-by-Step Guide

  1. Install bcrypt 
    npm install bcrypt
  2. Choose salt rounds Start with '10' (balance of speed & security)
  3. Hash password before saving 
    bcrypt.hash(password, saltRounds)
  4. Store only the hashed password in your database
  5. Verify with bcrypt.compare() when logging in

๐Ÿš€ Why Use bcrypt?

  • It handles salt automatically (no need to store/manage it separately).
  • Resistant to rainbow table attacks.
  • Adjustable cost factor ('saltRounds') for better security.

โœ… Conclusion

Salt in hashing is like adding extra spice to your password security ๐Ÿฒ. It makes each password hash unique and protects against attacks.

By using 'bcrypt' in Node.js, you donโ€™t need to manage salt yourselfโ€”bcrypt does it all for you.