← Lessons

quiz vs the machine

Gold1420

Security

Password Hashing With bcrypt

Why slow salted hashing beats plain hashes for storing credentials.

5 min read · core · beat Gold to climb

The Problem

Storing passwords as plaintext or fast hashes is dangerous because a stolen database lets attackers crack credentials quickly. A purpose built password hash must be slow and salted to resist large scale guessing.

How bcrypt Helps

  • bcrypt applies a salt automatically, so identical passwords produce different hashes and rainbow tables fail.
  • A configurable work factor sets how expensive each hash is, slowing brute force as hardware improves.
  • The salt and cost are embedded in the output, simplifying verification.

Using It Well

  • Never use fast general hashes like MD5 or SHA256 alone for passwords.
  • Tune the work factor so a single hash takes a noticeable fraction of a second.
  • Consider modern alternatives like Argon2 for memory hard resistance.
  • Always combine with rate limiting and breach monitoring.

Key idea

Password storage needs slow salted hashing, so use bcrypt or Argon2 with a tuned work factor rather than any fast general purpose hash.

Check yourself

Answer to earn rating on the learn ladder.

1. Why is a salt added before hashing a password?

2. What does bcrypt's work factor control?

3. Which is a poor choice for password storage?