freeCodeCamp/curriculum/challenges/english/06-quality-assurance/advanced-node-and-express/hashing-your-passwords.md

---
id: 58a25c98f9fc0f352b528e7f
title: Hashing Your Passwords
challengeType: 2
forumTopicId: 301553
---

# --description--

Going back to the information security section, you may remember that storing plaintext passwords is *never* okay. Now it is time to implement BCrypt to solve this issue.

Add BCrypt as a dependency, and require it in your server. You will need to handle hashing in 2 key areas: where you handle registering/saving a new account, and when you check to see that a password is correct on login.

Currently on our registration route, you insert a user's password into the database like so: `password: req.body.password`. An easy way to implement saving a hash instead is to add the following before your database logic `const hash = bcrypt.hashSync(req.body.password, 12);`, and replacing the `req.body.password` in the database saving with just `password: hash`.

Finally, on our authentication strategy, we check for the following in our code before completing the process: `if (password !== user.password) { return done(null, false); }`. After making the previous changes, now `user.password` is a hash. Before making a change to the existing code, notice how the statement is checking if the password is **not** equal then return non-authenticated. With this in mind, your code could look as follows to properly check the password entered against the hash:

```js
if (!bcrypt.compareSync(password, user.password)) { 
  return done(null, false);
}
```

That is all it takes to implement one of the most important security features when you have to store passwords!

Submit your page when you think you've got it right. If you're running into errors, you can check out the project completed up to this point [here](https://gist.github.com/camperbot/dc16cca09daea4d4151a9c36a1fab564).

# --hints--

BCrypt should be a dependency.

```js
(getUserInput) =>
  $.get(getUserInput('url') + '/_api/package.json').then(
    (data) => {
      var packJson = JSON.parse(data);
      assert.property(
        packJson.dependencies,
        'bcrypt',
        'Your project should list "bcrypt" as a dependency'
      );
    },
    (xhr) => {
      throw new Error(xhr.statusText);
    }
  );
```

BCrypt should be correctly required and implemented.

```js
(getUserInput) =>
  $.get(getUserInput('url') + '/_api/server.js').then(
    (data) => {
      assert.match(
        data,
        /require.*("|')bcrypt\1/gi,
        'You should have required bcrypt'
      );
      assert.match(
        data,
        /bcrypt.hashSync/gi,
        'You should use hash the password in the registration'
      );
      assert.match(
        data,
        /bcrypt.compareSync/gi,
        'You should compare the password to the hash in your strategy'
      );
    },
    (xhr) => {
      throw new Error(xhr.statusText);
    }
  );
```

# --seed--

# --solutions--

```js
/**
  Backend challenges don't need solutions, 
  because they would need to be tested against a full working project. 
  Please check our contributing guidelines to learn more.
*/
```
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00			`---`
			`id: 58a25c98f9fc0f352b528e7f`
			`title: Hashing Your Passwords`
			`challengeType: 2`
fix(curriculum): Added forumTopicId to remaining 1200 challeng… (#36558) 2019-08-05 16:17:33 +00:00			`forumTopicId: 301553`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00			`---`

Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`# --description--`
fix(curriculum): advanced node express changes for new boilerplate (#39080) * fix: add tests and steps * add necessary changes * edit for new boilerplate * fix: adjust content for boilerplate merge * add 4 passing 1 failing socketio * fix: add socketio changes * fix: update wording and http test Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> * fix: replace glitch remix urls with repl.it urls * integrate steps between lessons 4 and 5 * add mongodb altas link * edit test to not require db deletion * correct register routing and formatting * fix typos and formatting * fix: typos, standardize spacing, and remove unnecessary hr elements * fix: add/update links Add or update Gist solution links at the bottom of each challenge. Also add a missing link/text to the top of one of the challenges. * fix: remove Repl.it/boilerplate repo links from all but first challenge * fix: add target='_blank' to links in challenges * add note about PIP browser issues * move PIP note to end of instructions Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> 2020-09-04 13:50:03 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`Going back to the information security section, you may remember that storing plaintext passwords is never okay. Now it is time to implement BCrypt to solve this issue.`
fix(curriculum): advanced node express changes for new boilerplate (#39080) * fix: add tests and steps * add necessary changes * edit for new boilerplate * fix: adjust content for boilerplate merge * add 4 passing 1 failing socketio * fix: add socketio changes * fix: update wording and http test Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> * fix: replace glitch remix urls with repl.it urls * integrate steps between lessons 4 and 5 * add mongodb altas link * edit test to not require db deletion * correct register routing and formatting * fix typos and formatting * fix: typos, standardize spacing, and remove unnecessary hr elements * fix: add/update links Add or update Gist solution links at the bottom of each challenge. Also add a missing link/text to the top of one of the challenges. * fix: remove Repl.it/boilerplate repo links from all but first challenge * fix: add target='_blank' to links in challenges * add note about PIP browser issues * move PIP note to end of instructions Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> 2020-09-04 13:50:03 +00:00
			`Add BCrypt as a dependency, and require it in your server. You will need to handle hashing in 2 key areas: where you handle registering/saving a new account, and when you check to see that a password is correct on login.`

Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			Currently on our registration route, you insert a user's password into the database like so: `password: req.body.password`. An easy way to implement saving a hash instead is to add the following before your database logic `const hash = bcrypt.hashSync(req.body.password, 12);`, and replacing the `req.body.password` in the database saving with just `password: hash`.
fix(curriculum): advanced node express changes for new boilerplate (#39080) * fix: add tests and steps * add necessary changes * edit for new boilerplate * fix: adjust content for boilerplate merge * add 4 passing 1 failing socketio * fix: add socketio changes * fix: update wording and http test Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> * fix: replace glitch remix urls with repl.it urls * integrate steps between lessons 4 and 5 * add mongodb altas link * edit test to not require db deletion * correct register routing and formatting * fix typos and formatting * fix: typos, standardize spacing, and remove unnecessary hr elements * fix: add/update links Add or update Gist solution links at the bottom of each challenge. Also add a missing link/text to the top of one of the challenges. * fix: remove Repl.it/boilerplate repo links from all but first challenge * fix: add target='_blank' to links in challenges * add note about PIP browser issues * move PIP note to end of instructions Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> 2020-09-04 13:50:03 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			Finally, on our authentication strategy, we check for the following in our code before completing the process: `if (password !== user.password) { return done(null, false); }`. After making the previous changes, now `user.password` is a hash. Before making a change to the existing code, notice how the statement is checking if the password is not equal then return non-authenticated. With this in mind, your code could look as follows to properly check the password entered against the hash:
fix(curriculum): advanced node express changes for new boilerplate (#39080) * fix: add tests and steps * add necessary changes * edit for new boilerplate * fix: adjust content for boilerplate merge * add 4 passing 1 failing socketio * fix: add socketio changes * fix: update wording and http test Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> * fix: replace glitch remix urls with repl.it urls * integrate steps between lessons 4 and 5 * add mongodb altas link * edit test to not require db deletion * correct register routing and formatting * fix typos and formatting * fix: typos, standardize spacing, and remove unnecessary hr elements * fix: add/update links Add or update Gist solution links at the bottom of each challenge. Also add a missing link/text to the top of one of the challenges. * fix: remove Repl.it/boilerplate repo links from all but first challenge * fix: add target='_blank' to links in challenges * add note about PIP browser issues * move PIP note to end of instructions Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> 2020-09-04 13:50:03 +00:00
			```js
			`if (!bcrypt.compareSync(password, user.password)) {`
			`return done(null, false);`
			`}`
			```

			`That is all it takes to implement one of the most important security features when you have to store passwords!`

Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`Submit your page when you think you've got it right. If you're running into errors, you can check out the project completed up to this point [here](https://gist.github.com/camperbot/dc16cca09daea4d4151a9c36a1fab564).`
fix(curriculum): advanced node express changes for new boilerplate (#39080) * fix: add tests and steps * add necessary changes * edit for new boilerplate * fix: adjust content for boilerplate merge * add 4 passing 1 failing socketio * fix: add socketio changes * fix: update wording and http test Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> * fix: replace glitch remix urls with repl.it urls * integrate steps between lessons 4 and 5 * add mongodb altas link * edit test to not require db deletion * correct register routing and formatting * fix typos and formatting * fix: typos, standardize spacing, and remove unnecessary hr elements * fix: add/update links Add or update Gist solution links at the bottom of each challenge. Also add a missing link/text to the top of one of the challenges. * fix: remove Repl.it/boilerplate repo links from all but first challenge * fix: add target='_blank' to links in challenges * add note about PIP browser issues * move PIP note to end of instructions Co-authored-by: Kristofer Koishigawa <scissorsneedfoodtoo@gmail.com> 2020-09-04 13:50:03 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`# --hints--`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`BCrypt should be a dependency.`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			```js
			`(getUserInput) =>`
			`$.get(getUserInput('url') + '/_api/package.json').then(`
			`(data) => {`
			`var packJson = JSON.parse(data);`
			`assert.property(`
			`packJson.dependencies,`
			`'bcrypt',`
			`'Your project should list "bcrypt" as a dependency'`
			`);`
			`},`
			`(xhr) => {`
			`throw new Error(xhr.statusText);`
			`}`
			`);`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00			```

Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`BCrypt should be correctly required and implemented.`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			```js
			`(getUserInput) =>`
			`$.get(getUserInput('url') + '/_api/server.js').then(`
			`(data) => {`
			`assert.match(`
			`data,`
			`/require.*("\|')bcrypt\1/gi,`
			`'You should have required bcrypt'`
			`);`
			`assert.match(`
			`data,`
			`/bcrypt.hashSync/gi,`
			`'You should use hash the password in the registration'`
			`);`
			`assert.match(`
			`data,`
			`/bcrypt.compareSync/gi,`
			`'You should compare the password to the hash in your strategy'`
			`);`
			`},`
			`(xhr) => {`
			`throw new Error(xhr.statusText);`
			`}`
			`);`
			```
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`# --seed--`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00
Feat: add new Markdown parser (#39800) and change all the challenges to new `md` format. 2020-11-27 18:02:05 +00:00			`# --solutions--`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00
			```js
add comment explaining no need for solutions (#37227) 2019-10-14 15:30:42 +00:00			`/**`
			`Backend challenges don't need solutions,`
			`because they would need to be tested against a full working project.`
			`Please check our contributing guidelines to learn more.`
			`*/`
feat(challenge-md): Add initial markdown challenge files 2018-09-30 22:01:58 +00:00			```