Cryptojs vs. Bcryptjs: Which password hashing method should you trust?
Hey Developers, π when building a scalable application, having a secure authentication system is a must do task that increases the overall quality of the application. One of the important parts of the authentication system is a password encryption algorithm while storing it in database. One of the ways, we can encrypt our passwords is hashing.
In this blog, letβs dive into the exciting world of password hashing, where we pit two mighty contenders against each other: Crypto with Promisify and bcryptjs. Spoiler alert: one of them makes our lives way easier!
The Contenders
In the Blue Corner: Crypto with Promisify π₯Ά
Here's our first challenger, a complex yet secure method using Node.js's crypto
module. This method requires some serious elbow grease and a sprinkle of util.promisify
magic.
const crypto = require('crypto');
const util = require('util')
function hashPassword(password) {
return util.promisify(crypto.randomBytes)(config.saltBytes).then(salt => {
return util.promisify(crypto.pbkdf2)(password, salt, config.iterations, config.hashBytes, config.digest).then(hash => {
return {
salt,
hash,
iterations: config.iterations
}
});
})
}
In the Red Corner: Bcryptjs πͺ
Meet our second contender, the crowd favorite bcryptjs
. This library is all about keeping things simple and secure without making your brain hurt.
const bcrypt = require('bcryptjs');
async function hashing(plainTextPassword) {
if (!plainTextPassword) {
return null;
}
const saltRounds = await bcrypt.genSalt(10);
const hashedPassword = await bcrypt.hash(plainTextPassword, saltRounds);
return hashedPassword;
}
Round 1: Complexity and Readability π
Crypto with Promisify:
Manual salt generation and hashing steps. π§π
More code and complexity.
Returns an object with salt, hash, and iterations.
bcryptjs:
Abstracts salt generation and hashing.
Easier to read and understand.
Directly returns the hashed password.
Winner:bcryptjs
for simplicity and readability. π
Round 2: Security π
Crypto with Promisify:
Uses PBKDF2, a secure key derivation function.
Requires careful configuration to ensure security.
bcryptjs:
Uses bcrypt, designed for password hashing.
Automatically handles salt generation.
Configurable salt rounds for added security.
Winner: Tie! Both are secure, but bcryptjs
is easier to use securely. π€
Round 3: Performance β‘
Crypto with Promisify:
Performance depends on iterations and hash length.
Fine-tunable based on needs.
bcryptjs:
Performance depends on salt rounds.
Designed to be slow enough to thwart brute-force attacks.
Winner: Tie! Both can be adjusted for performance, but bcryptjs
is simpler to configure. βοΈ
Round 4: Ease of Use π οΈ
Crypto with Promisify:
- More control but more boilerplate code. π
bcryptjs:
High-level API for password hashing.
Less code and easier to integrate.
Winner:bcryptjs
for ease of use. π
And the winner of this battle isβ¦ π
Drumroll, pleaseβ¦ π₯ The champion of our hashing showdown is bcryptjs! While both methods are secure, bcryptjs
wins hands down for its simplicity, readability, and ease of use. It makes hashing passwords a breeze, even if you're not a crypto wizard. So, next time you need to hash a password, you know which one to pick!
Feel free to ask any questions or dive deeper into the fascinating world of password security.
Thank you! for reading, please leave your comments if any βοΈ
Don't forget to bookmark this blog for the future π
Connect with the author:
Subscribe to my newsletter
Read articles from Sanchit Bajaj directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Sanchit Bajaj
Sanchit Bajaj
Upcoming Software Engineer @Infozech || Freelance Developer π§βπ» || Tech Enthusiast π§ || Blogger βπ»