bcryptjs

Pure JavaScript implementation of bcrypt password hashing with no native dependencies. Bcryptjs provides password hashing and comparison for user authentication. Uses the bcrypt algorithm with configurable work factor (cost) for adaptive security. Works in both Node.js and browsers unlike the native bcrypt package.

Evaluated Mar 06, 2026 (0d ago) v2.x
Homepage ↗ Repo ↗ Developer Tools bcrypt password-hashing authentication security node browser open-source
⚙ Agent Friendliness
67
/ 100
Can an agent use this?
🔒 Security
89
/ 100
Is it safe for agents?
⚡ Reliability
88
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
78
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
90
Auth Strength
92
Scope Granularity
88
Dep. Hygiene
85
Secret Handling
88

Pure JS bcrypt implementation is auditable and has no native code vulnerabilities. Cost factor must be calibrated to hardware. 72-byte truncation is a known limitation requiring pre-hashing for long passwords.

⚡ Reliability

Uptime/SLA
88
Version Stability
90
Breaking Changes
92
Error Recovery
82
AF Security Reliability

Best When

You need dependency-free password hashing in Node.js without native module compilation, or in environments with build constraints.

Avoid When

You want the gold standard (Argon2) or need maximum performance — use argon2 npm package or bcrypt (native) for production at scale.

Use Cases

  • Hash user passwords before storage in database with configurable cost factor for security vs performance balance
  • Verify submitted passwords against stored hashes for user login authentication
  • Use async bcrypt operations to avoid blocking Node.js event loop during expensive hash operations
  • Build authentication systems without native compilation dependencies (unlike bcrypt npm package)
  • Hash passwords in environments where native modules are unavailable (AWS Lambda, restricted builds)

Not For

  • Hashing non-password data — bcrypt is designed for passwords; use SHA-256 or BLAKE3 for general hashing
  • High-throughput password hashing — bcrypt is intentionally slow; for bulk operations consider Argon2 with dedicated workers
  • Encryption — bcrypt is a one-way hash, not reversible encryption; use AES-GCM for encryption needs

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Library with no auth requirement.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Free and open source.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • Always use async bcrypt.hash() and bcrypt.compare() — sync versions (hashSync, compareSync) block the event loop for 100-500ms at cost=10, killing server throughput
  • Cost factor (saltRounds) of 10 is the recommended minimum — lower values are faster but less secure; 12 is a good 2024 default balancing security and speed
  • bcrypt.compare() returns false for mismatches, it does NOT throw — agents checking auth must check the boolean return, not catch errors
  • Bcrypt truncates passwords at 72 bytes — passwords longer than 72 characters are silently truncated; pre-hashing with SHA-256 is needed for long password support
  • bcryptjs is ~30% slower than the native bcrypt package — for high-traffic auth endpoints, consider the native package if build environment supports it
  • The hash output includes the salt — store only the hash string; do NOT store salt separately as it's embedded in the hash output format

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for bcryptjs.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered