Pockit
Back

Why You Should Never Store Passwords in Plain Text (Hashing and Salting)

We often hear news about database breaches.

In these events, companies often claim, "Passwords are encrypted and safe." Strictly speaking, this is incorrect. Passwords should not be 'Encrypted', but 'Hashed'.

Let's explore the difference between encryption and hashing, and why you should avoid using MD5 or SHA-1.

1. Encryption vs. Hashing

The key difference lies in "Reversibility."

  • Encryption: Transforms data using a key. It can be reversed (decrypted) back to the original if you have the key. (Two-way)
  • Hashing: Transforms data into a fixed-length string. It cannot be reversed to the original. (One-way)

Even server administrators should not know user passwords. Therefore, we must use Hashing, which is irreversible.

2. Rainbow Table Attacks

"So, is using a hash function like SHA-256 safe?"

Unfortunately, no. Hash functions are deterministic; they always produce the same output for the same input.

Hackers pre-calculate hash values for common passwords like 123456 or password and store them in massive tables called Rainbow Tables.

If they steal the hashed passwords from your DB, they can simply look them up in these tables to crack the original passwords instantly.

3. Salting

To solve this, we use Salting.

Before hashing the password, we append a random string (Salt) to it.

Hash("password") -> Dangerous
Hash("password" + "random_salt_value") -> Safe

With salting, even if two users have the same password, they will have different hash values (since their salts are different), rendering Rainbow Tables useless.

Conclusion

Do not use simple hash functions (MD5, SHA-1, SHA-256) for password storage. They are designed to be fast, which makes them vulnerable to brute-force attacks.

Instead, use specialized algorithms that incorporate Salting and Key Stretching.

  • Recommended Algorithms: Argon2, bcrypt, scrypt, PBKDF2

Security is not about being "unbreakable," but about "raising the cost of breaking in." Using the correct hashing algorithm raises that cost astronomically.

TechSecurityHashingCryptography

Explore Related Tools

Try these free developer tools from Pockit

PDF to Image
Turn documents into shareable images. High-quality conversion done entirely in your browser for maximum privacy.
Try it
Unlock PDF
Regain access to your documents. Remove PDF passwords securely on your device—your files are never uploaded.
Try it
Base64 Converter
Handle data encoding securely. Encode or decode Base64 strings instantly on your device.
Try it
Hash Generator
Verify data integrity securely. Generate cryptographic hashes instantly—your data never leaves your device.
Try it
AI Speech to Text
Transcribe recordings with complete privacy. Convert speech to text locally in your browser—audio never leaves your device.
Try it
AI Text Summarizer
Digest long articles in seconds. Get AI-powered summaries instantly and privately on your device.
Try it