Web Security: How to store passwords in the database

Join the AI Workshop to learn more about AI and how it can be applied to web development. Next cohort February 1st, 2026

The AI-first Web Development BOOTCAMP cohort starts February 24th, 2026. 10 weeks of intensive training and hands-on projects.

You don’t. You don’t store passwords in the database. You store the password hash, a string generated from the password, but from which no one can go back to the original password value.

Using Node, install bcrypt:

npm install bcrypt

Require it, and define the salt rounds value, we’ll use it later:

const bcrypt = require('bcrypt')

const saltRounds = 10

Create a password hash

Create a password hash using:

const hash = await bcrypt.hash('PASSWORD', saltRounds)

where PASSWORD is the actual password string.

If you prefer callbacks:

bcrypt.hash('PASSWORD', saltRounds, (err, hash) => {
  
})

Then you can store the hash value in the database.

Verify the password hash

To verify the password, compare it with the hash stored in the database using bcrypt.compare():

const result = await bcrypt.compare('PASSWORD', hash) 
//result is true or false

Using callbacks:

bcrypt.compare('somePassword', hash, (err, result) => {
  //result is true or false
})

Lessons in this unit:

0:	Introduction
1:	CSRF (Cross Site Request Forgery) tutorial
2:	Cross Site Scripting (XSS) tutorial
3:	SQL injection
4:	JSON Web Token (JWT) explained
5:	▶︎ How to store passwords in the database
6:	Some inputs to check for XSS issues