What is bcrypt and why is it used for passwords?
Why Interviewers Ask This
Candidates at the intermediate level are expected to not only know this concept but explain the trade-offs involved. Interviewers use this question to see if you can reason about design decisions, not just recall facts.
Answer
bcrypt is a password hashing algorithm designed specifically for storing passwords securely. Unlike general cryptographic hashes (MD5, SHA-256) which are designed to be fast, bcrypt is intentionally slow — making brute-force and rainbow table attacks computationally expensive. It automatically generates and incorporates a random salt (preventing rainbow table attacks) and has a configurable cost factor (work factor) that can be increased over time as hardware gets faster. The bcrypt npm package usage: (1) Hash on registration: const hash = await bcrypt.hash(password, 12); (12 is the salt rounds — higher = slower = more secure); (2) Verify on login: const match = await bcrypt.compare(plaintext, hash); — returns boolean. Never compare password hashes with === (timing attacks). Never store plaintext passwords. Bcrypt truncates at 72 bytes — for longer passwords, consider argon2 (the newer, recommended algorithm) which won the Password Hashing Competition.
Common Mistake
A common mistake is memorizing definitions without understanding implications. When asked this question, go one level deeper — explain what happens when this concept is misused or ignored.
Previous
What is JWT and how is it used in Node.js?
Next
What is Mongoose and how does it relate to MongoDB?