Password Hashing - Irreversible Storage for Credentials

About 2 min read

Password hashing is a technique that converts a user's password into an irreversible fixed-length value before storing it in a database. Even if the database is leaked, the original password cannot be recovered from the hash value, so the damage can be kept to a minimum. Storing passwords in plaintext is a serious design flaw that is not acceptable under modern security standards.

The Dangers of Plaintext Storage

The danger of storing passwords in plaintext (as the raw string) has been proven by major past incidents. In the 2009 RockYou breach, about 32 million passwords were leaked in plaintext. The moment attackers obtained the database, they had every user's password, and users who reused their passwords were also harmed on other services. This incident is a symbolic case that showed the world just how catastrophic the consequences of storing passwords in plaintext can be. We explain how to respond to a data leak in detail in the data breach response guide.

An Overview of Password Hashing

Why General-Purpose Hashes Are Unsuitable for Passwords

SHA-256 and SHA-512 are cryptographically secure hash functions, but they are not suitable for hashing passwords. The reason is that they are "too fast." SHA-256 can perform billions of hash computations per second, and using a GPU makes it even faster. For an attacker, this means they can try an enormous number of password candidates in a short time. Password-specific hash functions address this problem by deliberately making the computation slow.

The Roles of Salt and Pepper

The Concept of Stretching

Stretching is a technique that deliberately repeats the hash computation thousands or tens of thousands of times to prolong the time a single hash computation takes. For a legitimate user's login, only one computation is needed, so a delay of a few hundred milliseconds is within an acceptable range; but when an attacker tries hundreds of millions of password candidates, the per-attempt delay accumulates and makes the attack impractical. Argon2 and bcrypt have a stretching mechanism built in.

Modern Recommended Algorithms

As of 2025, OWASP's recommended order of preference is as follows.

For new systems, choose Argon2id. If your existing system uses bcrypt with a cost factor of 12 or higher, there is no need to rush a migration. If you are using MD5, SHA-1, or SHA-256 alone for password hashing, you should migrate to one of the above promptly. To minimize the risk of a credential leak, choosing the right algorithm is essential. You can learn the basics of encryption in the basics of encryption article.cryptography and password security books on Amazon are also helpful references for implementation.

Common Misconceptions

A common misconception is that "encryption makes it safe." Encryption is a two-way transformation that can be decrypted with the key, and if the key is leaked, all passwords are exposed at once. The correct approach for storing passwords is hashing (a one-way transformation). The idea that "if you keep the salt secret, a pepper is unnecessary" is also wrong. Because the salt is stored together with the hash value, it is exposed simultaneously when the database is leaked. The pepper becomes an additional layer of defense precisely because it is stored in a location separate from the database. For the full picture of secure password operation, see the secure password management guide.