How To Hash Passwords
📖 Bu rehber ToolPazar ekibi tarafından hazırlanmıştır. Tüm araçlarımız ücretsiz ve reklamsızdır.
Hash vs encryption
Password storage is one of the easiest things to get wrong and one of the most catastrophic when you do. Every year a major company leaks a database full of either plaintext or badly-hashed passwords, and every year developers keep making the same mistakes: MD5, SHA-256 without a salt, homemade obfuscation. This guide covers what a hash actually is, why the fast ones are wrong for passwords, and what to use instead.
Why plaintext is the worst mistake
SHA-256 is a fast, secure cryptographic hash. That’s great for file integrity checks and bad for passwords. A modern GPU can compute roughly ten billion SHA-256 hashes per second. An attacker with a leaked database and a $2,000 GPU can try every 8-character password in a weekend.
Why plain SHA-256 is also wrong
These are password-specific hashing functions designed to be slow and memory-hungry on purpose. bcrypt has been the default for 20 years and is still fine. Argon2 won the Password Hashing Competition in 2015 and is the current recommendation for new projects. scrypt sits between them.
What bcrypt, Argon2, and scrypt add
Modern libraries generate and store the salt for you — you don’t pick it, you don’t manage it. bcrypt embeds the salt inside the stored hash string. If you’re manually managing salts, you’re using the wrong library.