It would be better to use bcrypt, beause its more secure as it's slower (uses more computing cycles).
Your code could also be better:

You wouldn't need salt field in User model, because it's saved into the same field as password does.

For authentication, something like:

var mongoose = require('mongoose'),
  bcrypt = require('bcryptjs');

var userSchema = mongoose.Schema({
  email: String,
  pw: String,
});

userSchema.methods.validPassword = function(password) {
  return bcrypt.compareSync(password, this.pw);
}; 

I can make a PR

+1

+1 for bcrypt!

+1

please +1