bcrypt (npm)
Node.js bcrypt password hashing library using a native C++ addon for performance. Provides bcrypt hash generation and comparison with configurable salt rounds. bcrypt's intentional slowness (cost factor) makes it resistant to brute-force attacks. The standard password hashing library for Node.js, though argon2id is increasingly preferred for new projects due to better security properties.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Secure for password hashing. Critical: 72-byte limit is a known limitation. OWASP recommends argon2id over bcrypt for new systems. Native addon audit recommended for production use.
⚡ Reliability
Best When
Maintaining existing bcrypt-based systems or when bcrypt is an existing project standard — it's secure and battle-tested for password hashing.
Avoid When
Starting a new project — use argon2id (argon2 npm package) for better memory-hardness and OWASP recommendation compliance.
Use Cases
- • Hash user passwords before storage in agent user management systems using bcrypt with 10-12 salt rounds
- • Verify password attempts against stored hashes using bcrypt.compare() in agent authentication middleware
- • Migrate existing bcrypt-hashed passwords — bcrypt.compare() works with any cost factor, enabling transparent cost factor upgrades
- • Implement API key hashing for agent-generated credentials stored in databases — bcrypt one-way hashes prevent credential recovery on breach
- • Add timing-safe password comparison to agent auth systems — bcrypt.compare() is constant-time to prevent timing attack password enumeration
Not For
- • New projects — argon2id has better security properties (memory-hard) and is the OWASP recommended algorithm over bcrypt; prefer argon2 for greenfield
- • High-frequency authentication in hot paths — bcrypt is intentionally slow; cache authenticated sessions or use JWT to avoid bcrypt on every request
- • Data encryption/decryption — bcrypt is one-way hashing only; use AES-256-GCM for data that needs to be recovered
Interface
Authentication
No authentication — cryptographic library. bcrypt IS the password auth primitive.
Pricing
bcrypt npm package is open source and free.
Agent Metadata
Known Gotchas
- ⚠ bcrypt has a 72-character input limit — passwords longer than 72 bytes are silently truncated; 'password' + 72 chars of padding = same hash as 'password'
- ⚠ Native C++ addon requires build tools at install time — CI environments need build-essential/gcc/python; use bcryptjs (pure JS) for environments without native build support
- ⚠ saltRounds determines computational cost — use 10+ for passwords; never use <10 in production; OWASP recommends 10+ rounds (2024 guidance)
- ⚠ bcrypt.hash() is async — the sync bcrypt.hashSync() blocks the event loop during the intentionally slow operation; always use async version in Node.js servers
- ⚠ bcrypt MAX_LENGTH (72 bytes) vulnerability: attackers can create collisions by padding different passwords to 72 chars — pre-hash with SHA-256 if long passwords are expected
- ⚠ bcryptjs (pure JavaScript fallback) is 3-5x slower than the native bcrypt package — use native bcrypt for production, bcryptjs for deployment environments without build tools
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for bcrypt (npm).
Scores are editorial opinions as of 2026-03-06.