diff --git a/package.json b/package.json
index 8c06e42efb..641f2b716f 100644
--- a/package.json
+++ b/package.json
@@ -19,7 +19,7 @@
   "license": "BSD-3-Clause",
   "dependencies": {
     "babel-polyfill": "6.13.0",
-    "bcrypt-nodejs": "0.0.3",
+    "bcryptjs": "2.3.0",
     "body-parser": "1.15.2",
     "commander": "2.9.0",
     "deepcopy": "0.6.3",
@@ -53,6 +53,7 @@
     "babel-preset-es2015": "6.13.2",
     "babel-preset-stage-0": "6.5.0",
     "babel-register": "6.11.6",
+    "bcrypt-nodejs": "0.0.3",
     "cross-env": "2.0.0",
     "deep-diff": "0.3.4",
     "gaze": "1.1.1",
@@ -60,7 +61,7 @@
     "jasmine": "2.4.1",
     "mongodb-runner": "3.3.2",
     "nodemon": "1.10.0",
-    "request-promise": "^4.1.1"
+    "request-promise": "4.1.1"
   },
   "scripts": {
     "dev": "npm run build && node bin/dev",
@@ -77,5 +78,8 @@
   },
   "bin": {
     "parse-server": "./bin/parse-server"
+  },
+  "optionalDependencies": {
+    "bcrypt": "0.8.7"
   }
 }
diff --git a/spec/Auth.spec.js b/spec/Auth.spec.js
index 0b19f4ca3a..14ed96bd7e 100644
--- a/spec/Auth.spec.js
+++ b/spec/Auth.spec.js
@@ -77,7 +77,18 @@ describe('Auth', () => {
       auth.getUserRoles()
         .then((roles) => expect(roles).toEqual([]))
         .then(() => done());
-    })
+    });
+
+    it('should properly handle bcrypt upgrade', (done) => {
+      var bcryptOriginal = require('bcrypt-nodejs');
+      var bcryptNew = require('bcryptjs');
+      bcryptOriginal.hash('my1Long:password', null, null, function(err, res) {
+        bcryptNew.compare('my1Long:password', res, function(err, res) {
+          expect(res).toBeTruthy();
+          done();
+        })
+      });
+    });
 
   });
 });
diff --git a/src/password.js b/src/password.js
index a3eaa4bfb5..f7365260df 100644
--- a/src/password.js
+++ b/src/password.js
@@ -1,11 +1,15 @@
 // Tools for encrypting and decrypting passwords.
 // Basically promise-friendly wrappers for bcrypt.
-var bcrypt = require('bcrypt-nodejs');
+var bcrypt = require('bcryptjs');
+
+try {
+  bcrypt = require('bcrypt');
+} catch(e) {}
 
 // Returns a promise for a hashed password string.
 function hash(password) {
   return new Promise(function(fulfill, reject) {
-    bcrypt.hash(password, null, null, function(err, hashedPassword) {
+    bcrypt.hash(password, 10, function(err, hashedPassword) {
       if (err) {
         reject(err);
       } else {