Optimized bcrypt in plain JavaScript with zero dependencies, with TypeScript support. Compatible to 'bcrypt'.
bcryptjs is a pure JavaScript implementation of the bcrypt password hashing algorithm, designed to securely hash passwords without requiring native C++ dependencies. With over 5.7 million weekly downloads, it's become a standard choice for authentication systems where developers need a reliable, cross-platform solution that works in both Node.js and browser environments.
The package addresses a critical security requirement: storing passwords in a way that makes them computationally infeasible to reverse-engineer. Unlike fast hashing algorithms like SHA-256 that can be brute-forced quickly with modern hardware, bcryptjs uses an adaptive, computationally expensive algorithm that can be tuned to remain secure as computing power increases. Each password is automatically salted with a unique random value before hashing, ensuring identical passwords produce different hashes and protecting against rainbow table attacks.
Developers choose bcryptjs when they need password hashing without the compilation overhead of native addons. While it's approximately 30% slower than the native bcrypt package due to being written in pure JavaScript, it eliminates installation issues related to node-gyp and C++ compilers—particularly valuable in containerized environments, CI/CD pipelines, or platforms with restricted native module support. The package provides both synchronous and asynchronous APIs, with the async implementation yielding to the event loop to prevent blocking the main thread during intensive hashing operations.
const bcrypt = require('bcryptjs');
// Hashing a password during user registration
async function registerUser(username, plainPassword) {
const saltRounds = 12;
const hashedPassword = await bcrypt.hash(plainPassword, saltRounds);
// Store hashedPassword in database
await db.users.create({
username,
password: hashedPassword
});
return { username, created: true };
}
// Verifying password during login
async function loginUser(username, plainPassword) {
const user = await db.users.findOne({ username });
if (!user) {
throw new Error('User not found');
}
const isValid = await bcrypt.compare(plainPassword, user.password);
if (!isValid) {
throw new Error('Invalid password');
}
return { username: user.username, authenticated: true };
}
// Synchronous usage (blocks event loop - use sparingly)
function hashPasswordSync(plainPassword) {
const salt = bcrypt.genSaltSync(10);
return bcrypt.hashSync(plainPassword, salt);
}
// Example usage
(async () => {
const testPassword = 'mySecureP@ssw0rd';
const hash = await bcrypt.hash(testPassword, 12);
console.log('Generated hash:', hash);
const match = await bcrypt.compare(testPassword, hash);
console.log('Password matches:', match);
const noMatch = await bcrypt.compare('wrongPassword', hash);
console.log('Wrong password matches:', noMatch);
})();User registration systems: Hash passwords before storing them in databases during account creation. The automatic salting ensures each user's password hash is unique, even if multiple users choose the same password.
Login authentication: Verify user-provided passwords against stored hashes during login attempts. The compare function safely checks credentials without exposing the original password or being vulnerable to timing attacks.
Password change workflows: Re-hash passwords when users update their credentials, with the ability to increase the cost factor over time to maintain security as hardware improves.
API authentication: Generate and verify hashed API keys or tokens that need secure storage, leveraging bcrypt's adaptive cost factor to balance security and performance requirements.
Browser-based password utilities: Implement client-side password strength testing or pre-hashing in web applications, taking advantage of bcryptjs's browser compatibility without requiring WebAssembly or native modules.
npm install bcryptjspnpm add bcryptjsbun add bcryptjs