Loading ...

📚 Chapters

JWT vs Bcrypt: Understanding Authentication & Password Security

✍️ By Arun Kumar | 11/14/2025

JWT (JSON Web Token)

===================

Purpose: Authentication and secure data transfer.


  • What it is:
    JWT is a compact, URL-safe token that represents a set of claims (data) between two parties — usually the client and server.


  • How it works:

    1. User logs in with username/password.

    2. Server verifies credentials.

    3. Server creates a JWT containing user info (like user ID) and signs it using a secret key.

    4. JWT is sent to the client.

    5. Client sends JWT with future requests (usually in the Authorization header).

    6. Server verifies the JWT signature to authenticate the user.


Structure of a JWT:
JWT has three parts, separated by dots (.):

header.payload.signature

  • Header: Info about the token type and algorithm used.

  • Payload: Data (claims) like user ID, roles, etc.

  • Signature: Created by signing the header and payload with a secret key.


Example JWT flow:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9  .  eyJ1c2VySWQiOjEsIm5hbWUiOiJBcnVuIn0  .  sflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Use case:

  • Logging in users without storing sessions on the server.

  • Authorization in REST APIs.


bcrypt

=====

Purpose: Password hashing (security).


  • What it is:
    bcrypt is a hashing algorithm specifically designed for storing passwords securely.


  • Why not plain hash (like MD5)?
    Plain hashes are fast, so attackers can brute-force them quickly. bcrypt is slow and adaptive, which makes brute-force attacks harder.


  • How it works:

    1. When a user sets a password, bcrypt hashes it with a salt (random data).

    2. The hashed password is stored in the database.

    3. When the user logs in, the entered password is hashed with the same algorithm and compared to the stored hash.


Example in Node.js:

const bcrypt = require('bcrypt');

// Hashing
const saltRounds = 10;
const password = 'mySecret123';
const hash = await bcrypt.hash(password, saltRounds);

// Verifying
const isMatch = await bcrypt.compare('mySecret123', hash);
console.log(isMatch); // true

Use case:

  • Safely storing passwords in a database.

  • Protecting user accounts even if the database is leaked.


Key Difference

FeatureJWTbcrypt
TypeToken for authenticationPassword hashing algorithm
UseVerify identity & authorize requestsSecurely store passwords
LifespanShort-lived or long-lived tokensStored permanently (hashed passwords)
SecuritySigned, can expireSlow hash, resistant to brute-force

💬 Comments

logo

Comments (0)

No comments yet. Be the first to share your thoughts!