How do you hash passwords and use the crypto module?

Question

Accepted Answer

Node's built-in **`crypto`** module provides cryptographic functions: hashing, encryption, random values, and HMAC. The most important practical use — **password hashing** — has a critical rule: never use fast, general-purpose hashes (MD5/SHA-256) for passwords.

## Password hashing: use a SLOW, salted algorithm

```js
import { scrypt, randomBytes, timingSafeEqual } from "crypto";
import { promisify } from "util";
const scryptAsync = promisify(scrypt);

// HASH a password (on signup)
async function hashPassword(password) {
  const salt = randomBytes(16).toString("hex");          // unique random salt per user
  const derived = await scryptAsync(password, salt, 64); // slow, salted derivation
  return `${salt}:${derived.toString("hex")}`;            // store salt + hash together
}

// VERIFY a password (on login)
async function verify(password, stored) {
  const [salt, hash] = stored.split(":");
  const derived = await scryptAsync(password, salt, 64);
  const hashBuf = Buffer.from(hash, "hex");
  return timingSafeEqual(hashBuf, derived); // constant-time compare (avoid timing attacks)
}
```

Key points: **`scrypt`** (or bcrypt/argon2) is *deliberately slow* to resist brute-force; a **unique salt per password** defeats rainbow tables; and **`timingSafeEqual`** compares hashes in constant time to prevent timing attacks.

## Why NOT MD5/SHA-256 for passwords

```js
// ❌ NEVER do this — SHA/MD5 are FAST, so attackers can guess billions/sec
crypto.createHash("sha256").update(password).digest("hex");
```

Fast hashes are fine for file checksums but catastrophic for passwords — their speed is exactly what makes them brute-forceable. (In practice, libraries like **bcrypt** or **argon2** are commonly preferred over raw scrypt for ergonomics.)

## Other crypto uses

```js
import crypto from "crypto";

crypto.randomBytes(32).toString("hex");        // secure random tokens (session ids, CSRF)
crypto.randomUUID();                            // a secure UUID v4

// HMAC — verify integrity/authenticity (e.g. webhook signatures)
crypto.createHmac("sha256", secret).update(payload).digest("hex");

// hashing for NON-secret integrity (file checksums) — SHA is fine here
crypto.createHash("sha256").update(fileBuffer).digest("hex");
```

## Why it matters

Getting password storage right is a critical security responsibility, and it's a common, dangerous mistake to use fast hashes or skip salting.

The `crypto` module (or higher-level bcrypt/argon2) provides the correct primitives: slow salted hashing for passwords, constant-time comparison, secure random generation for tokens, and HMAC for verifying integrity (like webhook signatures).

Understanding *why* passwords need slow, salted, constant-time handling — and that fast hashes are only for non-secret checksums — is essential to building authentication that doesn't expose users to credential theft.