← Back to Blog

Password Hashing Cheat-Sheet

Why Password Hashing Matters

Password hashing ensures that even if a database is leaked, attackers cannot directly read user passwords. A hash is a one-way function — it cannot be reversed, but it can be compared.

Core Concepts

• Salt: a unique random value per password to prevent rainbow table attacks.
• Pepper: a global secret stored separately from the database.
• Key stretching: multiple iterations to slow down brute-force attempts.

Recommended Algorithms

• Argon2: modern and memory-hard, ideal default choice.
• bcrypt: well-tested, battle-proven algorithm for most systems.
• PBKDF2: older but reliable if configured with strong parameters.

bcrypt Example (Node.js)

const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12); // 12 salt rounds
const isValid = await bcrypt.compare(input, hash);

Best Practices

• Always use Argon2id if your framework supports it.
• Store the salt together with the hash; keep the pepper in secure storage (KMS).
• Regularly review your password policy and rehash on algorithm upgrades.