Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

JavaScript npm Basics (retiring) Installing Packages with npm Installing Local Packages

Michael Williams
Michael Williams
Courses Plus Student 8,059 Points

Why does replacing "saltRounds" with "10" make this work?

I'm 100% new to this NPM business, and here's the code I got from readme doc.

var unsecurePlainTextPassword = "password";

var bcrypt = require('bcrypt');
bcrypt.genSalt(saltRounds, function(err, salt) {
    bcrypt.hash(unsecurePlainTextPassword, salt, function(err, hash) {

I got an error because saltRounds was undefined, which makes sense, cuz it's not. So I replaced it with 10 like in the video and it worked. But why does it work? Andrew doesn't explain that, unless I missed it, and I'm overwhelmed/don't understand the documentation to make sense of it on my own. Help? :)

1 Answer

Michael Hulet
Michael Hulet
47,911 Points

The answer to this has a lot more to do with cryptography than it does with NPM, and I highly recommend taking the Introduction to Data Security course to learn more. The easy answer without that background is that genSalt is expecting you to give it an integer for that argument, and 10 is just a solid arbitrary choice.

The long answer is that if you didn't include a salt in your hash, it'd be a lot more feasible to execute a brute force attack or use a rainbow table to figure out what passwords compute to what hashes. Adding in a random bit of data before putting it through your hash function means that you not only need to know the password, but you also need to know the random bit of data that was generated. bcrypt is a little special in that it requires you to use a salt, and that salt also tells it how many types it should perform the hash, which means bcrypt also needs to generate that salt. bcrypt performs its hash function 2^n times, where n is the number of times you tell it when you create the salt (this is saltRounds that you see in some of the documentation's sample code). This is meant for you to be able to configure, so that you can find the right balance between speed and security for your hardware. The point here is to make it as slow as acceptably possible, so it takes an attacker a longer time to generate their own hash to compare. The higher the number, the more times the hash is performed, and the more secure your hash is as a result, given the extra time cost of having to do more work. If your database is compromised, this means that it could take an attacker centuries to figure out a single password instead of seconds, so you generally want to make this number as high as possible while keeping your site appear speedy enough for your users, though 12 is generally a reasonable minimum given the speed of modern hardware. However, you should definitely make it higher if your server is fast enough