Password must always be hashed. A simple way to secure passwords using NodeJS would be to use bcrypt-nodejs module.