What is the encryption used by Strapi in the password fields?

Hi, I hope you are doing well.

I’m new to Strapi and just for general knowledge I would like to know what algorithm Strapi uses to handle the encryption of the password fields.

Thanks for your answers.

We use bcrypt with autogenerated salt and hash.

Admin service:


Note that this only applies to the users & permissions => user model password.

If you create a new password field on the model it is not encrypted

Indeed. But you can solve this easily:

Store the hashed password by using lifecycles

const bcrypt = require('bcryptjs');

module.exports = {

  lifecycles: {
    * Triggered before entry creation.
    async beforeCreate(data) {
      data.passwordField = bcrypt.hash(data.passwordField,10);
    * Triggered before entry update.
    async beforeUpdate(params,data) {
      data.passwordField = bcrypt.hash(data.passwordField,10);

Note: encryption != hashing

Hashing is a one-way action and is used to hash sensitive data that you never gonna decrypt. If you hash data then you only can compare if new data is equal. It is mostly used for passwords.

Encryption is used to encrypt sensitive data that you want to decrypt in the future, for example, it can be used to store API tokens of third-party services in DB, if you don’t want to keep them as plain text for security reasons. Encrypted data usually offers the possibility to decrypt it. If you want to be able to encrypt/decrypt data then take a look at the node’s built-in module: crypto.

1 Like

Yup exactly