Introduction
When you create an account on a website, your password is not supposed to be stored directly.
If it is stored in plain text, anyone who gains access to the database can see it.
The Problem with Plain Text
Imagine a database gets leaked.
If passwords are stored like this:
username | password
user1 | password123
user2 | hello123Then everything is exposed immediately.
This is one of the worst security mistakes.
Why Encryption Is Not Enough
At first, encryption sounds like a solution.
But encryption can be reversed if someone has the key.
If that key is compromised, all passwords can be recovered.
That is why encryption is not ideal for password storage.
How Hashing Solves This
Instead of storing passwords directly, systems store a hash.
password123 -> 482c811da5...When a user logs in:
- the system hashes the entered password
- compares it to the stored hash
- if they match, access is granted
The original password is never stored.
The Problem with Simple Hashing
If two users have the same password, they will have the same hash.
This creates a problem because attackers can use precomputed lists, often called rainbow tables.
Adding Salt
A salt is a random value added before hashing.
password123 + random_salt -> hashNow:
- even identical passwords produce different hashes
- precomputed attacks become much harder
Why bcrypt Is Used
Modern systems use algorithms like bcrypt.
bcrypt is designed to be slow on purpose.
This makes it harder for attackers to try millions of guesses quickly.
Key benefits:
- built-in salting
- adjustable cost, which controls slowness
- resistant to brute-force attacks
A Real Scenario
If a database is leaked:
- an attacker gets hashes, not passwords
- each hash is unique due to salt
- cracking them takes time and resources
This reduces the damage significantly.
Conclusion
Passwords should never be stored in plain text or simple encrypted form.
Hashing, combined with salt and slow algorithms like bcrypt, is what makes modern password storage secure.