menu
How Passwords Are Stored Securely (Hashing, Salting, Bcrypt)

How Passwords Are Stored Securely (Hashing, Salting, Bcrypt)

Leader 2 9 41
calendar_todayschedule2 min read

When you create an account on any website…

You type your password and click Sign Up.

But here’s the question:

Where does your password actually go?
Is it stored as plain text?

If yes… that’s a disaster.

Let’s understand how real systems store passwords securely

⚠️ First: What NOT to Do

The worst way to store passwords:

Password: mypassword123

If a database gets leaked:

All user accounts are instantly compromised

This is called plain text storage
And no serious company does this.

Step 1: Hashing (One-Way Conversion)

Instead of storing the real password…

Systems store a hashed version.

Example:

mypassword123 → 482c811da5d5b4bc6d497ffa98491e38

This is called hashing

Important:

  • It’s one-way
  • You cannot convert it back to original password

So even if database leaks:

Attackers don’t see actual passwords

Step 2: Salting (Extra Security Layer)

Problem with hashing:

If two users have same password → same hash

That’s risky.

Solution:

Add a salt (random value) before hashing

Example:

Password: mypassword123
Salt: XyZ@91

Final: mypassword123 + XyZ@91 → Hash

Now:

  • Same password ≠ same hash
  • Makes attacks much harder

⚡ Step 3: Bcrypt (Smart Hashing)

Basic hashing is not enough today.

Hackers use:

  • GPU attacks
  • Rainbow tables

So we use Bcrypt.

Bcrypt is a hashing algorithm designed for passwords

It:

  • Automatically adds salt
  • Is intentionally slow
  • Makes brute-force attacks difficult

Example:

$2b$10$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36n3c1t9v9Z8u1l9ZQFQO7e

How Login Actually Works

When you login:

  1. You enter password
  2. System hashes it again
  3. Compares with stored hash

If match:

Access granted

No password is ever “decrypted”

Simple Flow

User Password → Add Salt → Hash (Bcrypt) → Store

That’s it.

⚠️ Common Mistakes Developers Make

  • Storing plain text passwords ❌
  • Using fast hashing (like MD5, SHA1) ❌
  • Not using salt ❌

These make systems vulnerable

Best Practices

  • Always use Bcrypt (or Argon2)
  • Never store raw passwords
  • Use strong password policies
  • Add rate limiting for login attempts

Final Thought

Users trust your system with their data.

If passwords are not stored securely:

You are risking their identity

As a developer:

Security is not optional
It’s your responsibility

Now when you click “Sign Up” anywhere…

You know exactly what’s happening behind the scenes

Md Mijanur Molla
5.3k Points52 Badges2 9 41
Kolkata,WB,INDedulumix.in
44Posts
18Comments
62Followers
16Connections
Software Engineer @2Coms Group
Build your own developer journey
Track progress. Share learning. Stay consistent.
Create your profile
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.
Join CoderLegion

More Posts

I’m a Senior Dev and I’ve Forgotten How to Think Without a Prompt

Karol Modelskiverified - Mar 19

TypeScript Complexity Has Finally Reached the Point of Total Absurdity

Karol Modelskiverified - Apr 23

How I Built a React Portfolio in 7 Days That Landed ₹1.2L in Freelance Work

Dharanidharan - Feb 9

Sovereign Intelligence: The Complete 25,000 Word Blueprint (Download)

Pocket Portfolio - Apr 1

Why Prompt Engineering Is Just an Expensive Way to Be Incompetent

Karol Modelskiverified - May 21
chevron_left

More From Md Mijanur Molla

Why Your AI Assistant Gets Lost in Large Repositories

The Real Reason Developers Love Dark Mode

Why Production Is the Real Software Test Environment

Related Jobs

View all jobs →

Commenters (This Week)

1 comment
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!