How should passwords be stored securely, and why should you never store them in plain text?

Question

Accepted Answer

Passwords must never be stored in plain text because database breaches happen. If attackers obtain your database and passwords are plain text, every account is immediately compromised. Users often reuse passwords, so the breach extends to their accounts on other services.

The correct approach is using password hashing with algorithms specifically designed for this purpose. These algorithms are intentionally slow and include salting.

Bcrypt is the most widely recommended algorithm. It incorporates a salt automatically and has a configurable work factor that can be increased as hardware gets faster. A typical work factor of ten or twelve makes brute force attacks impractical.

Argon2 is the winner of the Password Hashing Competition and is considered state of the art. It is memory-hard, meaning it requires significant memory to compute, making GPU-based attacks difficult. Use Argon2id for the best balance of security properties.

PBKDF2 is an older but still acceptable option when bcrypt or Argon2 are unavailable. It requires careful configuration with sufficient iterations.

Never use fast hash functions like MD5 or SHA256 for passwords. These algorithms are designed for speed, which is exactly what attackers want when brute forcing. Billions of attempts per second become possible with fast hashes.

Salting adds random data to each password before hashing. Even if two users have the same password, their hashes differ because of unique salts. This prevents rainbow table attacks, where attackers precompute hashes for common passwords.

When verifying a login, hash the provided password with the stored salt and compare to the stored hash. Never decrypt passwords because proper hashing is one-way.

Additional protections include enforcing minimum password complexity, detecting and blocking breached passwords using services like Have I Been Pwned, and implementing rate limiting on login attempts.