Cryptojs vs. Bcryptjs: Which password hashing method should you trust?

Sanchit BajajSanchit Bajaj
3 min read

Hey Developers, πŸ‘‹ when building a scalable application, having a secure authentication system is a must do task that increases the overall quality of the application. One of the important parts of the authentication system is a password encryption algorithm while storing it in database. One of the ways, we can encrypt our passwords is hashing.

In this blog, let’s dive into the exciting world of password hashing, where we pit two mighty contenders against each other: Crypto with Promisify and bcryptjs. Spoiler alert: one of them makes our lives way easier!

The Contenders

In the Blue Corner: Crypto with Promisify πŸ₯Ά

Here's our first challenger, a complex yet secure method using Node.js's crypto module. This method requires some serious elbow grease and a sprinkle of util.promisify magic.

const crypto = require('crypto');
const util = require('util')

function hashPassword(password) {
  return util.promisify(crypto.randomBytes)(config.saltBytes).then(salt => {
    return util.promisify(crypto.pbkdf2)(password, salt, config.iterations, config.hashBytes, config.digest).then(hash => {
      return {
        salt,
        hash,
        iterations: config.iterations
      }
    });
  })
}

In the Red Corner: Bcryptjs πŸ’ͺ

Meet our second contender, the crowd favorite bcryptjs. This library is all about keeping things simple and secure without making your brain hurt.

const bcrypt = require('bcryptjs');

async function hashing(plainTextPassword) {
  if (!plainTextPassword) {
    return null;
  }

  const saltRounds = await bcrypt.genSalt(10);
  const hashedPassword = await bcrypt.hash(plainTextPassword, saltRounds);

  return hashedPassword;
}

Round 1: Complexity and Readability πŸ“š

Crypto with Promisify:

  • Manual salt generation and hashing steps. πŸ§‚πŸ”„

  • More code and complexity.

  • Returns an object with salt, hash, and iterations.

bcryptjs:

  • Abstracts salt generation and hashing.

  • Easier to read and understand.

  • Directly returns the hashed password.

Winner:bcryptjs for simplicity and readability. πŸŽ‰

Round 2: Security πŸ”

Crypto with Promisify:

  • Uses PBKDF2, a secure key derivation function.

  • Requires careful configuration to ensure security.

bcryptjs:

  • Uses bcrypt, designed for password hashing.

  • Automatically handles salt generation.

  • Configurable salt rounds for added security.

Winner: Tie! Both are secure, but bcryptjs is easier to use securely. 🀝

Round 3: Performance ⚑

Crypto with Promisify:

  • Performance depends on iterations and hash length.

  • Fine-tunable based on needs.

bcryptjs:

  • Performance depends on salt rounds.

  • Designed to be slow enough to thwart brute-force attacks.

Winner: Tie! Both can be adjusted for performance, but bcryptjs is simpler to configure. βš”οΈ

Round 4: Ease of Use πŸ› οΈ

Crypto with Promisify:

  • More control but more boilerplate code. πŸ“

bcryptjs:

  • High-level API for password hashing.

  • Less code and easier to integrate.

Winner:bcryptjs for ease of use. 🎈

And the winner of this battle is… πŸ†

Drumroll, please… πŸ₯ The champion of our hashing showdown is bcryptjs! While both methods are secure, bcryptjs wins hands down for its simplicity, readability, and ease of use. It makes hashing passwords a breeze, even if you're not a crypto wizard. So, next time you need to hash a password, you know which one to pick!

Feel free to ask any questions or dive deeper into the fascinating world of password security.

Thank you! for reading, please leave your comments if any ✌️

Don't forget to bookmark this blog for the future πŸ“Œ

Connect with the author:

5
Subscribe to my newsletter

Read articles from Sanchit Bajaj directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Sanchit Bajaj
Sanchit Bajaj

Upcoming Software Engineer @Infozech || Freelance Developer πŸ§‘β€πŸ’» || Tech Enthusiast 🧠 || Blogger ✍🏻