How Passwords Are Stored Securely (Hashing, Salting, Bcrypt)

Question

When you create an account on any website…

You type your password and click Sign Up.

But here’s the question:

Where does your password actually go?
Is it stored as plain text?

If yes… that’s a disaster.

Let’s understand how real systems store passwords securely

---

⚠️ First: What NOT to Do

The worst way to store passwords:

Password: mypassword123

If a database gets leaked:

All user accounts are instantly compromised

This is called plain text storage
And no serious company does this.

---

Step 1: Hashing (One-Way Conversion)

Instead of storing the real password…

Systems store a hashed version.

Example:

mypassword123 → 482c811da5d5b4bc6d497ffa98491e38

This is called hashing

Important:

• It’s one-way
• You cannot convert it back to original password

So even if database leaks:

Attackers don’t see actual passwords

---

Step 2: Salting (Extra Security Layer)

Problem with hashing:

If two users have same password → same hash

That’s risky.

Solution:

Add a salt (random value) before hashing

Example:

Password: mypassword123
Salt: XyZ@91

Final: mypassword123 + XyZ@91 → Hash

Now:

• Same password ≠ same hash
• Makes attacks much harder

---

⚡ Step 3: Bcrypt (Smart Hashing)

Basic hashing is not enough today.

Hackers use:

• GPU attacks
• Rainbow tables

So we use Bcrypt.

Bcrypt is a hashing algorithm designed for passwords

It:

• Automatically adds salt
• Is intentionally slow
• Makes brute-force attacks difficult

Example:

$2b$10$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36n3c1t9v9Z8u1l9ZQFQO7e

---

How Login Actually Works

When you login:

1. You enter password
2. System hashes it again
3. Compares with stored hash

If match:

Access granted

No password is ever “decrypted”

---

Simple Flow

User Password → Add Salt → Hash (Bcrypt) → Store

That’s it.

---

⚠️ Common Mistakes Developers Make

• Storing plain text passwords ❌
• Using fast hashing (like MD5, SHA1) ❌
• Not using salt ❌

These make systems vulnerable

---

Best Practices

• Always use Bcrypt (or Argon2)
• Never store raw passwords
• Use strong password policies
• Add rate limiting for login attempts

---

Final Thought

Users trust your system with their data.

If passwords are not stored securely:

You are risking their identity

As a developer:

Security is not optional
It’s your responsibility

---

Now when you click “Sign Up” anywhere…

You know exactly what’s happening behind the scenes