How does hashing work for password security?

Short answer

Hashing transforms passwords into fixed-length strings that cannot be reversed. It allows systems to verify passwords without storing the original text.

How it works

When a user creates a password, the system hashes it and stores only the hash. During login, the entered password is hashed again and compared to the stored value. If they match, authentication succeeds.

Modern algorithms like bcrypt, Argon2, and PBKDF2 add salts (random values) to each password before hashing. Salts prevent rainbow table attacks and ensure identical passwords produce different hashes.

Example

If two users both choose "Password123", bcrypt generates unique salts for each. The stored hashes differ completely, so cracking one does not reveal the other.

Why it matters

Storing plaintext passwords is a critical vulnerability. When databases are breached, properly hashed passwords force attackers to perform expensive brute-force or dictionary attacks per entry, buying time for users to change credentials.