Why mark passwordHash with select: false in Mongoose?
To exclude it from find queries by default. Without this, User.find() returns passwordHash to the client. Use .select('+passwordHash') only when needed (e.g., for login).
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Hash Passwords in Node.js With bcrypt
Use bcrypt. const hashed = await bcrypt.hash(password, 10). The second argument is salt rounds; 10 is a good default. Verify with bcrypt.compare(password, hash). Hash in a pre('save') Mongoose hook or in the controller.
bcrypt is designed for passwords. It is slow on purpose (so brute-forcing hashes is expensive) and has a salt built in (so two users with the same password get different hashes). It is the standard choice.
10 is a good default. It takes about 100ms on a modern CPU. Higher is slower (safer against brute force); lower is faster (weaker). For high-security apps, use 12. For most apps, 10 is fine.
Still have questions?
Browse all our FAQs or reach out to our support team
