How do I invalidate sessions on password change?
Bump a tokenVersion field on the user when the password changes. The auth middleware checks that the JWT's tokenVersion matches the user's current tokenVersion. After a change, old JWTs are rejected and the user must log in again.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Password Storage Best Practices in Node.js
Always hash (never plain text), use a slow hash (bcrypt or argon2), use a salt (automatic), mark the field with select: false, use a serializer, never log passwords, hash in a pre('save') hook, handle updates, validate strength, rate limit login, use HTTPS, and invalidate sessions on password change.
To exclude it from find queries by default. Without this, User.find() returns passwordHash to the client. Use .select('+passwordHash') only when needed (e.g., for login). Combined with a serializer, this is defense in depth.
Require minimum 8 characters. Encourage passphrases. Reject common passwords (haveibeenpwned API or a wordlist). Do not enforce arbitrary complexity rules (uppercase, special chars) that hurt usability more than they help.
Still have questions?
Browse all our FAQs or reach out to our support team
