Facebook Pixel

Why mark passwordHash with select: false?

To exclude it from find queries by default. Without this, User.find() returns passwordHash to the client. Use .select('+passwordHash') only when needed (e.g., for login). Combined with a serializer, this is defense in depth.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Password Storage Best Practices in Node.js

Always hash (never plain text), use a slow hash (bcrypt or argon2), use a salt (automatic), mark the field with select: false, use a serializer, never log passwords, hash in a pre('save') hook, handle updates, validate strength, rate limit login, use HTTPS, and invalidate sessions on password change.

Require minimum 8 characters. Encourage passphrases. Reject common passwords (haveibeenpwned API or a wordlist). Do not enforce arbitrary complexity rules (uppercase, special chars) that hurt usability more than they help.

To prevent brute-force password attacks. 5 attempts per 15 minutes per IP and per email. After too many failures, lock the account temporarily. Rate limiting is a small addition with big protection.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.