How to compare a bcrypt hash between PHP and Node.js
2 min read

How to compare a bcrypt hash between PHP and Node.js

Discover how to compare a bcrypt hash generated in PHP with password_hash(), using Node.js and the bcrypt module
Adding native image lazy-loading to Ghost with a Cloudflare Worker

I'm in a situation where a Node app and a PHP app are sharing a database. The PHP app handles the user registration and hashes the password using password_hash().

The password_hash() function uses the bcrypt algorithm if you specify PASSWORD_DEFAULT or PASSWORD_BCRYPT.

With Node, the bcrypt NPM module can be used to compare the hash and the plain password, with a little gotcha.

There are multiple versions of bcrypt:

PHP uses $2y$ while this NPM module uses $2a$. They are still compatible though, so we can just replace this part of the hash.




$password = "qwertyuiop";

$hash = password_hash($password, PASSWORD_BCRYPT);
// PASSWORD_DEFAULT is equivalent as of now

echo $hash;


const bcrypt = require('bcrypt');
const exec = require('child_process').exec;

const password = 'qwertyuiop';

const cmd = '/usr/local/bin/php ./password.php';

exec(cmd, (err, stdout, stderr) => {
  // See
  const hash = stdout.replace('$2y$', '$2a$');, hash).then(function (res) {
    // Should output true

It's working 👍

[email protected] ~/l/password-hash> node password.js

The reverse operation can of course be done using the same technique.

Source: Stack Overflow