Why notify users of password changes?
If an attacker changes the password, the user gets an email they did not expect. They can take action (reset the password, contact support). Silence on password change is a security hole.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Password Security Roadmap for Node.js
Never plain text, pick an algorithm (bcrypt or argon2), use a salt, hash in a pre('save') hook, handle updates, mark with select: false, use a serializer, never log passwords, validate strength, rate limit login, use HTTPS, implement password reset, invalidate sessions on change, use httpOnly cookies, and notify users.
Never store plain text. Hash with bcrypt or argon2 before saving. No exceptions. Without this, every other step is wasted. This is the foundation.
After basic auth works and you have hashing in place. Reset depends on hashing the new password and sending emails. Implement it before launch so users can recover from forgotten passwords.
Still have questions?
Browse all our FAQs or reach out to our support team
