Password Hashing & Salting Explained | Complete Node JS + Express Course with MongoDB | Part #148

Added: 2026-05-12

[00:00:00]In the last lecture, we learned that we should never save the password as plain text in the database because of security concern. So when a user registers to our application through a signup or registration process, the user will have to provide a password while creating his account. Now the user is going to provide a plain text as the password during registration and currently that plain password is what we are saving in the database. Now if for any reason a hacker gets access to the database, he will have access to the username of the user and the plain password and the hacker can use it to log into your application as a valid user using other users credential. And to avoid this, we must hash the user password from the API code before saving it in the database.

[00:00:47]So in this lecture, let's learn what do we mean by password hashing and salting.

[00:00:52]This is again going to be a theoretical lecture and we will learn all the important points to know about hashing and salting in this lecture before we actually implement it.

[00:01:03]So what is hashing? Hashing of a password is the process of transforming a user's password into a seemingly random string of characters of fixed length using a mathematical algorithm called as hash function. So basically when we hash a plain password it generates a random string of fixed length and we do this with an algorithm which is called as hash function or hashing algorithm and the resulting string which we get that is called as hash or a message digest. So basically we will have a hashing algorithm.

[00:01:41]We pass a string value to this hashing algorithm. So a password is also a string value which contains alpha numeric characters, special characters etc. So basically it is a string value that string value when it goes through the hashing algorithm. This hashing algorithm generates a base 64 string of fixed length. So that base 64 string we can either call it as hash or we can call it as message digest. Generally we call it as hash.

[00:02:09]Now hashing algorithm has some key characteristics which we should be aware of.

[00:02:16]First of all, regardless of the length of input password, the resulting hash will always have a specific predefined length. That means it does not matter what is the size of your password. Your password can be of 8 characters, 12 characters, 20 characters etc. But the hash string which will be generated all of them will have a fixed length. So we can say that hashing is the process of generating a fixed size output from a variable size input.

[00:02:45]Then hashing is a one-way function. It's practically impossible to reverse the hashing process and obtain the original password from its hash. So remember that hashing is not encryption process which can be decrypted. When you encrypt a string, that encrypted string is again going to generate a B 64 string. But that encrypted string can be decrypted back to its original value. But when you hash a password, the hashing algorithm again generates a base 64 string of fixed length. But from that base 64 string, you cannot get back the original value. That is almost impossible.

[00:03:28]And this is one characteristic which you need to be aware of. Once a value is hashed, it cannot be converted back to its original value. Then another important key characteristic of hashing algorithm is that it is deterministic.

[00:03:43]That means the same input, the same string value will always produce the same output.

[00:03:50]Okay. So for example, if two users are using the same password, for that the hash value will be same. Okay. So this is another very important characteristic which we need to aware of. Same input string, same password is always going to generate the same hash.

[00:04:09]And finally all the hashing algorithm has collision resistance. That means it is extremely difficult to find two different passwords that produces the same hash result. Now while this is theoretically possible with any hash function but a strong cryptographic hash function makes it practically impossible to generate the same hash for two different string values.

[00:04:35]Okay.

[00:04:36]So these are some key characteristics of hashing algorithm.

[00:04:41]Now in this course we are going to use b-rypt algorithm for hashing the password and for that we are going to use bryptjs library from npm.

[00:04:52]Now when we are hashing the password we should also add salt to it.

[00:04:58]So password salting is the process of adding a unique random string to each user's password before hashing it. And this ensures that even if two users have the same password, their hashed value will be different. So as we learned two strings will always produce the same hash value. So in that case if we only use hashing then if two or more users have the same password their hashed password will be same and that will be saved in the database. So in that case also if the hacker gets access to our database and if he sees that for some of the users the hashed password is same he can crack the original password out of that hashed password and that's why we also add salt to the hashed value which ensures that even if two users have the same password their hashed value will be different and it makes it difficult to crack the original password out of that hashed value. So password salulting is a security technique used to protect stored passwords from being easily cracked or guessed especially in the event of data breach. Now salt is also a fixed length randomly generated string which is added to hashed password. So basically it is prefixed with the hashed value. The salt is added to hash string to make the hash string more difficult to get a plain password out of that.

[00:06:22]So whenever we hash a password with that we also add salt to it and it will return us the concatenated hashed password which is strong and more secure and a hashed password with a salt added to it looks something like this. When we hash a password by adding salt to it, it generates a string and this string value has all the information that we need when we want to compare the plain password with the hashed password.

[00:06:53]So remember that a hashed password starts with a dollar symbol and after that we will have two characters and these two character represent which algorithm we are using for hashing the password. So when we use brypt library at that time the first two characters will be either 2 a 2 b 2 etc and these are the common identifiers which tells which revision of brypt which version of brypt we are actually using. Okay then after that again we have a dollar.

[00:07:28]So this dollar is to separate the next information from the algorithm identifier and this value which you see here this 10 it is the cost factor. So when we want to add a salt to a hashed string at that time we also need to specify the cost factor and the cost factor determines the computational cost of generating the hash. So if this value is higher, generally this value is between 10 to 12. But let's say you have set it to 16. In that case, this value tells how many rounds of hashing it has to do to generate a strong hashed string. And higher the value, more will be the round of hashing. But in turn, it will take more time.

[00:08:14]But lower the value, lesser secure the hashed password will be, but it will be faster. So generally we use a value ranging from 10 to 12 but you can also use a higher value to make your hashed password more strong. But in that case when the user is going to sign up during the signup when we are going to generate a hashed password it is going to take some more time to generate that hashed password. So the signup process will become a little bit slower but the hashed password which will be generated it will be very strong.

[00:08:48]So this is cost factor. Then we have the base 64 encoded salt string. So as I mentioned before when we add salt to a hashed password that salt is prefixed to the hashed value. So this string is the salt string. After that we have a dot and then we have the hashed string. So the salt string is prefixed to the hashed string. And a salt string is basically a 22 character string representing the randomly generated salt encoded in base 64. And this is a unique randomly generated string which is added to hashed password before hashing. And as we learned it basically makes the hashed password more secure. It makes that even if two passwords are same the generated hash value is different.

[00:09:40]and then these remaining 31 characters this makes the hash string.

[00:09:46]Okay. So this is the result of applying a hashing algorithm to a plain text password.

[00:09:53]Now as I mentioned before in this course we are going to use brypt algorithm for hashing the password. So for that when the client will send a signup request to our express application that signup request will be handled by a route handler function. In our case, it will be handled by signup route handler function. From within that signup route handler function, we are going to call a hash function. And for that, we are going to use the brypt library. And when we use b-rypt library, brypt package provides a function called hash for hashing a plain text password into a hash string. And while hashing the password, we are also going to add some salt to it so that it will generate a strong hashed password.

[00:10:38]And after that we are going to save that hash password in the users collection for the password field.

[00:10:45]And this we will see practically in our next lecture.

[00:10:49]So this was a highle theoretical overview of what do we mean by password hashing and salting and why it is important and why do we add salt to a hashed string.

[00:11:01]This is all from this lecture. If you have any questions from this lecture then feel free to ask it. Thank you for listening and have a great day.