How Bcrypt Password Hashing Works: Security & Best Practices

In the world of cybersecurity, storing passwords in plain text is a cardinal sin. But simply "encrypting" them or using standard hashing algorithms like MD5 or SHA-256 is no longer sufficient. Modern computing power has made these fast algorithms incredibly vulnerable to brute-force and rainbow table attacks.

Enter **Bcrypt**, the industry-standard algorithm designed specifically for password hashing. In this article, we'll explain how Bcrypt works, what makes it slow-by-design, and how you can implement it securely in 2026.

1. Hashing vs. Encryption

Many developers use these terms interchangeably, but they are conceptually different:

• Encryption is a two-way function. You encrypt a string with a key, and anyone with that key can decrypt it back into plain text. This is terrible for passwords, because if a hacker steals the decryption key, they have access to every account.
• Hashing is a one-way function. It takes an input string and converts it into a fixed-length string of characters (a hash). It is mathematically impossible to reverse-engineer a hash back to the original password. When a user logs in, you hash their input and compare it to the stored hash.

2. What is a "Salt" and Why is it Critical?

If two users have the same password (e.g., 123456), standard hashing algorithms will output the exact same hash. Hackers use pre-computed tables of common passwords and their corresponding hashes, known as **Rainbow Tables**, to instantly crack stolen databases.

A **Salt** is a random string generated for every single password before it is hashed. If we add a unique salt to each password, even identical passwords will produce completely different hashes:

This completely neutralizes rainbow table attacks, forcing attackers to guess each password individually, one by one.

3. The Secret Sauce: Slow-by-Design (Key Stretching)

Standard cryptographic hashing algorithms like SHA-256 are built to be extremely fast. Computers can calculate billions of SHA-256 hashes per second. If a database is leaked, an attacker can test millions of password combinations in a matter of seconds.

Bcrypt, based on the Blowfish cipher, introduces a customizable **Work Factor** (also called salt rounds). When hashing, Bcrypt repeats the hashing process multiple times (2^rounds times).

By configuring the work factor, we can intentionally slow down the hashing process:

• 10 rounds = 2¹⁰ (1,024) iterations (takes ~0.05s on modern hardware).
• 12 rounds = 2¹² (4,096) iterations (takes ~0.2s on modern hardware).
• 14 rounds = 2¹⁴ (16,384) iterations (takes ~0.8s on modern hardware).

A delay of 0.1s is unnoticeable to a logging-in user, but for an attacker who needs to test 100,000,000 passwords, it makes the attack completely impractical and computationally expensive.

4. Implementing Bcrypt in Node.js

Here is how easy it is to hash and verify passwords securely using the bcryptjs library in Node.js:

const bcrypt = require('bcryptjs');

// 1. Hash a password with a work factor of 12 rounds
async function hashPassword(plainPassword) {
  const saltRounds = 12;
  const hashedPassword = await bcrypt.hash(plainPassword, saltRounds);
  return hashedPassword;
}

// 2. Verify a password during login
async function verifyPassword(plainPassword, storedHash) {
  const isMatch = await bcrypt.compare(plainPassword, storedHash);
  return isMatch; // returns true or false
}