Compare two password hashes -- nodejs

I think your problem is in the salt. Usually you have to store the salt you used to hash the first time and reuse it the second time around. The reason for the salt is to make sure that the hash doesn't map to the original pass if some hacker would retrieve it from a compromised system (using a rainbow table attack). See Why do we use the "salt" to secure our passwords?

If you would try

var salt = crypto.randomBytes(128).toString('base64');

var hashPwd = function hashPwd(salt, pwd) {
    var hmac = crypto.createHmac('sha256', salt);
    return hmac.update(pwd).digest('hex');
};

//use password , create salt, hash and compare with the existing
var passHash = hashPwd(salt,data.Password);
console.log('the password is', user.PassHash === passHash);

It would work as long as you don't restart the server (assuming you store the salt var outside scope of the function invoked to respond to the http request).

A better solution (imo) is what bcrypt is doing. There you generate a salt per password, but to verify that a password is correct you use compare, which uses the salt stored in the hash. This way you can use different salts with each password, meaning you don't have to worry as much about a salt being compromised.

npm install bcrypt

…

var bcrypt = require('bcrypt');
var hash = bcrypt.hashSync("my password");

bcrypt.compareSync("my password", hash); // true
bcrypt.compareSync("not my password", hash); // false

There is also compareAsync and other async variants. See also: https://www.npmjs.com/package/bcrypt-nodejs