2020-09-01
1669
#node
Wisdom Ekpot
24176
Sep 1, 2020 ⋅ 5 min read

Building a password hasher in Node.js

Wisdom Ekpot A student of Ibom Metropolitan Polytechnic studying computer engineering, Wisdom has been writing JavaScript for two years, focusing on Vue.js, Angular, and Express.js.

Recent posts:

The Replay (10/22/25): AI-assisted coding, Wasm 3.0, and more

Discover what’s new in The Replay, LogRocket’s newsletter for dev and engineering leaders, in the October 22nd issue.

Matt MacCormack
Oct 22, 2025 ⋅ 29 sec read
Where AI-assisted coding accelerates development — and where it doesn’t

Where AI-assisted coding accelerates development — and where it doesn’t

John Reilly discusses how software development has been changed by the innovations of AI: both the positives and the negatives.

John Reilly
Oct 22, 2025 ⋅ 12 min read
Debugging with Chrome DevTools MCP: Giving AI eyes in the browser

Debugging with Chrome DevTools MCP: Giving AI eyes in the browser

Learn how to effectively debug with Chrome DevTools MCP server, which provides AI agents access to Chrome DevTools directly inside your favorite code editor.

Emmanuel John
Oct 21, 2025 ⋅ 6 min read
Goodbye, useState? Smarter state modeling for modern React apps

Goodbye, useState? Smarter state modeling for modern React apps

Ever opened a React file and found a graveyard of useState hooks? The problem isn’t React; it’s how we model state. Here’s how to do it smarter.

Oscar Jite-Orimiono
Oct 21, 2025 ⋅ 9 min read
View all posts

4 Replies to "Building a password hasher in Node.js"

  1. Copied from: https://www.echojs.com/comment/37385/1

    Okay… while this is kind of correct, I would empatically NOT follow this advice.

    First, sha512 is *not* sufficient for a hash, there are specific algorithms that will use sha256/512 as an underlying hash with thousands of iterations in order to create an appropriate hash.

    Second, the “rounds” for a salt is a total abuse of the term. The “rounds” in a password hash has to do with the number of cycles to perform on a passphrase hash.

    Third, you don’t need to convert to a hex string when passing the salt to the hashing algorithm, it can stay an ArrayBuffer/Buffer.

    Fourth, the length of the salt should match the bit length of the underlying hashing algorithm to ensure than at least a full working buffer goes into the algorithm to offset for short-ish passphrases.

    Here’s a better example to work from:

    https://gist.github.com/tracker1/87bbebbf235e697588fc9d9b8ca4f0a2

    Though, you may want to use something other than pbkdf2, the example above was using it because of legal requirements and that the algorithm is supported by node in the box.

  2. It is quite obvious that when it has to do with hashing in Node.js, it is recommended to use packages like bcrypt or Argon2. The article was basically to explain how bcrypt works and how to build something similar. It is stated in the conclusion that this has some flaws and wouldn’t be recommended for production.

  3. He was just explaining how salting works in Node.js crypto, inasmuch he stated that this isn’t safe to do in production.
    Also, how is the ’rounds’ a waste of term? Could you explain further?
    Converting to a hex string is just by choice.

  4. Thank you for bringing up some of the flaws with this! Adding onto the list of issues, the hash comparison here is not time safe and is vulnerable to a timing-based side-channel information leak.

    Also, NIST recommends at least 128-bits for a salt.

    Something like Argon2 would be ideal for passwords. If you have to stay within the scope of the SHA-family, then use a keccak construction like SHA3-512 (supported by NodeJS 10+), and use a minimum of 1,000 rounds/iterations, but ideally, go with something higher. And as mentioned above, use PBKDF2.

Leave a Reply

Would you be interested in joining LogRocket's developer community?

Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.

Sign up now