The password string provided by the user is not stored directly in the user document. Instead, it is handled as a virtual field.
mern-skeleton/server/models/user.model.js:
UserSchema .virtual('password') .set(function(password) { this._password = password this.salt = this.makeSalt() this.hashed_password = this.encryptPassword(password) }) .get(function() { return this._password })
When the password value is received on user creation or update, it is encrypted into a new hashed value and set to the hashed_password field, along with the salt value in the salt field.