Why not use bcrypt.hashSync in request handlers?
It blocks the event loop. Other requests stall while the hash runs. Use the async API (await bcrypt.hash). In Mongoose, use a pre('save') hook with async/await.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Common Password Hashing Mistakes (and How to Avoid Them)
Plain text, fast hashes (SHA-256), no salt, low rounds, sync hashing in request handlers, returning passwordHash in responses, logging passwords or hashes, rehashing on every save, not handling updates, and mixing purposes.
It is a fast hash, not a password hash. Fast means brute-forcing a list of hashes is fast. Password hashes (bcrypt, argon2) are slow on purpose, which makes brute-force expensive.
Without the check, every save rehashes the existing hash. Profile updates would rehash the already-hashed password, breaking login. Use if (!this.isModified('passwordHash')) return next();
Still have questions?
Browse all our FAQs or reach out to our support team
