Password Hashing and Storage Basics — And Why You Should Never Re-Use Passwords

I’ve explained the technicalities of password management in back-end systems many times — to both technical teams unfamiliar with the nuances and friends curious about how passwords get stolen and why password re-use is such a terrible idea.

While the topic can dive into complex territory, especially around hashing algorithms, the fundamental concepts are not difficult to grasp. It’s vital for everyone to have a basic understanding of these mechanisms.

Let’s dive into this through an example scenario of a web application we’ll call Snapogram — a platform for sharing your favorite photos.

Plaintext Passwords: The Dangerous Beginning

When you create an account on Snapogram, you pick a “secure” password — let’s say, “SuperS3cret!”. You enter this password into the app when registering.

Next time you log in, you provide your username and password. The app verifies your details and grants you access.

However, Snapogram doesn’t store your actual plaintext password in its database. That would be reckless. If the system were hacked, attackers would immediately have access to every user’s account. Not to mention, even Snapogram employees could see your password, which isn’t a risk worth taking.

Hashing: Making Passwords Secure

To avoid storing plaintext passwords, Snapogram uses hashing. Hashing is a one-way encryption process that transforms your password into a scrambled, irreversible string called a hash.

For example:

• Plaintext Password: SuperS3cret!
• Hash (using SHA-256): A73C5D281F3B7A173B679F5AE7A309D3CBA17E27B5B92E2233E45B703CF7E8E7

The app stores this hash in its database. When you log in again, Snapogram hashes the password you enter and compares it to the stored hash. If the hashes match, you’re authenticated.

But there’s a problem: If attackers steal this database of hashed passwords, they can use a rainbow table to match known plaintext passwords to their hashes. A rainbow table is essentially a precomputed list of hashes for common passwords.

Let’s see how an attacker could crack the example above:

1. Find the hash A73C5D281F3B7A173B679F5AE7A309D3CBA17E27B5B92E2233E45B703CF7E8E7 in the table.
2. Match it back to SuperS3cret!.
3. Gain access to your Snapogram account.

Worse still, if you’ve reused this password on other websites, they could access those accounts too.

Salting: Adding Uniqueness to Hashes

To combat rainbow tables, Snapogram takes a smarter approach by adding a salt — a random string of characters — to your password before hashing it.

For example:

• Plaintext Password: SuperS3cret!
• Salt: 8DxkPQ2mZ3Jr6@5V
• Salted Password: SuperS3cret!8DxkPQ2mZ3Jr6@5V

The salted password is hashed and stored:

• Salted Hash: $2b$12$8DxkPQ2mZ3Jr6@5Vx4zQr.BOIRNmw6ZFl0OaHEkCQXJp65mAbwXC

Here’s what happens during registration and login:

1. The app generates a random salt for your password.
2. It combines the salt and your plaintext password, then hashes them.
3. The salt and hash are stored together in the database.

When you log in:

1. The app retrieves your stored salt and hash.
2. It hashes your entered password with the same salt.
3. If the new hash matches the stored one, you’re authenticated.

Because each user has a unique salt, even if two users have the same password, their hashes will differ.

For example:

• User 1 Password: SuperS3cret!
• Salt: 8DxkPQ2mZ3Jr6@5V
• Hash: $2b$12$8DxkPQ2mZ3Jr6@5Vx4zQr.BOIRNmw6ZFl0OaHEkCQXJp65mAbwXC
• User 2 Password: SuperS3cret!
• Salt: R4qXp01lT7Fn8&9A
• Hash: $2b$12$R4qXp01lT7Fn8&9AK7cPgJYuLwoFSb1eH9wLx7Rr9C2nU8kRbkOm

This uniqueness makes rainbow tables ineffective and significantly slows down brute-force attacks.

Why You Should Never Reuse Passwords

Password reuse remains a critical vulnerability. If Snapogram’s database is ever compromised, attackers might gain access to your hash and salt. While modern hashing techniques like bcrypt are designed to slow down brute-force attacks, they don’t make them impossible.

Now imagine you’ve reused your Snapogram password for your email account. An attacker could try your email and password combination across other platforms, such as banking apps or shopping sites.

This technique, called credential stuffing, is a leading cause of account breaches today.

How to Stay Safe

1. Use Unique Passwords for Every Account: Avoid password reuse at all costs.
2. Enable Two-Factor Authentication (2FA): Prefer authenticator apps over SMS for added security.
3. Use a Password Manager: Tools like Bitwarden or 1Password can generate and store complex, unique passwords for you.
4. Avoid Predictable Passwords: Use long, machine-generated passwords. If you must create your own, try nonsensical phrases like OrangeCactus-!Rocket#79.

Final Thoughts

Password security relies on a combination of technology and human behavior. While salting and modern hashing techniques have made passwords more secure, their effectiveness diminishes when we reuse passwords or choose weak ones.

Take proactive steps today to secure your accounts, and remember: A strong, unique password is your first and best defense.