Password Hashing Guide: Why bcrypt, not SHA-256, for Passwords
Why general-purpose hash functions are wrong for passwords, what makes password hashes special, and how salts prevent rainbow tables.
Published:
Tags: security, cryptography, passwords
Password Hashing: Why Plain SHA-256 Is Not Enough When developers learn that passwords should be "hashed, not stored in plain text," they sometimes implement it as and consider the job done. This is better than plain text but fundamentally insufficient. Understanding why requires understanding what password hashing is actually protecting against. The Threat Model Password hashing isn't about making passwords unreadable in your database under normal operation. Your database is (hopefully) not publicly accessible. The threat is a full database breach: an attacker has exfiltrated your entire user table, including the hashed passwords. Now the attacker runs the database on their local machine and attempts to crack the hashes. They have: Unlimited time (within practical limits) The best…
All articles · theproductguy.in