Okay... while this is kind of correct, I would empatically NOT follow this advice. First, sha512 is *not* sufficient alone for a hash, there are specific algorithms that will use sha256/512 as an underlying hash with thousands of iterations in order to create an appropriate hash. Second, the "rounds" for a salt is a total abuse of the term. The "rounds" in a password hash has to do with the number of cycles to perform on a passphrase hash. Third, you don't need to convert to a hex string when passing the salt to the hashing algorithm, it can stay an ArrayBuffer/Buffer. Fourth, the length of the hash should match the bit length of the underlying hashing algorithm. Going longer doesn't strengthen for a passphrase hash, and going shorter weakens the result. Here's a better example to work from: https://gist.github.com/tracker1/87bbebbf235e697588fc9d9b8ca4f0a2 Though, you may want to use something other than pbkdf2, the example above was using it because of legal requirements and that the algorithm is supported by node in the box. ---- Edit, corrected #4 - was thinking of something else.