Never store the plaintext
Storing passwords as plaintext or with reversible encryption is dangerous: a single database leak exposes every credential. Instead, systems store a one way hash so the original password cannot be recovered, only verified.
Salt defeats precomputation
A plain hash is still weak because attackers precompute hashes for common passwords in rainbow tables. A salt is a unique random value stored alongside each hash. Because every user has a different salt:
- Identical passwords produce different hashes.
- Precomputed tables become useless.
Slow hashing resists brute force
Fast hashes like SHA256 let attackers try billions of guesses per second. Password specific functions such as bcrypt, scrypt, and Argon2 are deliberately slow and memory hard. A work factor tunes the cost so verification stays acceptable for one login but brute forcing many guesses becomes expensive.
Key idea
Store passwords as salted, slow, one way hashes using bcrypt, scrypt, or Argon2 so a database leak does not reveal usable credentials.