Password hashing is the process of transforming a user's plain-text password into a fixed-length, irreversible string of characters before storing it in your database. Unlike encryption, hashing is a one-way function, you cannot reverse the hash to recover the original password. When a user logs in, the application hashes the password they entered and compares it to the stored hash. Modern hashing algorithms like bcrypt and argon2 are specifically designed for passwords: they are intentionally slow (taking hundreds of milliseconds per hash) and include a unique random salt for each password, making it computationally infeasible to crack them even with powerful hardware. Bcrypt has been the industry standard for over a decade, while argon2 (winner of the 2015 Password Hashing Competition) adds memory-hardness, making it resistant to GPU and ASIC-based attacks that can parallelize computation.
Why It Matters
Database breaches happen. It is not a question of if, but when your user data will be targeted. When attackers get access to a database, the first thing they look for is the user table with passwords. If passwords are stored in plain text or with weak hashing (MD5, SHA-1, unsalted SHA-256), they can be cracked in seconds using precomputed rainbow tables or modern GPUs that can test billions of hash combinations per second. With bcrypt or argon2, cracking a single password takes orders of magnitude longer, turning a minutes-long attack into one that would take years. This gives your users time to change their passwords and protects them from credential reuse attacks where a cracked password on your site unlocks their bank account, email, or other critical services.
What Happens Without It
In 2012, LinkedIn suffered a breach that exposed 6.5 million password hashes (later revealed to be 117 million). The passwords were hashed with unsalted SHA-1, a fast algorithm never intended for password storage. Security researchers cracked over 90% of the hashes within days using commodity hardware. Millions of users who reused their LinkedIn password on other services had those accounts compromised as well. By contrast, when Dropbox was breached in 2012 and 68 million credentials were stolen, half of the passwords were protected with bcrypt. Those bcrypt-hashed passwords remained largely uncrackable even years later when the data surfaced publicly. The difference between the two breaches came down entirely to the hashing algorithm used, one choice that protected millions of users or left them completely exposed.