How should passwords be stored and handled securely?

Question

Accepted Answer

Passwords must be stored securely — **never in plaintext**, but **hashed** with a strong, slow, salted password-hashing algorithm (bcrypt, Argon2, scrypt). Proper password handling is critical because password breaches are extremely damaging and common.

## Never store plaintext; hash properly

```text
❌ NEVER store passwords in plaintext (a breach exposes all passwords directly)
❌ Don't use fast/general hashes (MD5, SHA-256) alone — too fast → easily brute-forced
✅ HASH with a dedicated PASSWORD HASHING algorithm: BCRYPT, ARGON2, or scrypt:
  → SLOW by design (resistant to brute-force/GPU cracking)
  → SALTED (a unique random salt per password) → prevents rainbow-table attacks and
    identical passwords hashing the same
```

```js
// hashing with bcrypt (handles salting automatically)
const hash = await bcrypt.hash(password, 12);   // store the hash (with salt + cost)
// verifying at login
const valid = await bcrypt.compare(inputPassword, storedHash);   // compare securely
```

## Why these algorithms

```text
SALT → unique random value per password → identical passwords get DIFFERENT hashes;
  defeats precomputed (rainbow table) attacks
SLOW (work factor) → deliberately expensive to compute → brute-forcing millions of
  guesses becomes impractical (tunable cost factor as hardware improves)
→ bcrypt/Argon2/scrypt are designed for passwords; general hashes (SHA) are NOT.
```

## Other password practices

```text
✓ Enforce reasonable strength (length over complexity); check against breached-password lists
✓ MULTI-FACTOR authentication (MFA) → strong protection even if a password leaks
✓ HTTPS for transmission; rate-limit / lock out brute-force login attempts
✓ Secure password RESET (time-limited tokens); never email passwords; never log them
```

## Why it matters

Understanding secure password storage and handling is essential because **password breaches are extremely common and damaging**, and improper password storage is a serious, frequent vulnerability, so it's must-know security knowledge.

The fundamental rules are critical: **never store passwords in plaintext** (a breach would expose every user's password directly — catastrophic), and **don't rely on fast general hashes** (MD5, SHA-256) which are too fast and easily brute-forced.

Instead, **hash with dedicated password-hashing algorithms** (bcrypt, Argon2, scrypt) that are **slow by design** (resistant to brute-force and GPU cracking) and **salted** (a unique random salt per password, preventing rainbow-table attacks and ensuring identical passwords get different hashes).

Understanding **why these algorithms** — salting (defeating precomputed attacks, making identical passwords hash differently) and slowness/work factor (making mass brute-forcing impractical, with a tunable cost as hardware improves) — explains the correct approach versus the common mistakes (plaintext, fast hashes, no salt).

Understanding **other practices** — enforcing reasonable strength (length over complexity, checking breached-password lists), **MFA** (strong protection even if a password leaks), HTTPS for transmission, rate-limiting login attempts, secure password reset (time-limited tokens), and never logging or emailing passwords — reflects comprehensive password security.

Password handling is a high-stakes area where mistakes (plaintext storage, weak hashing) directly cause major breaches, while proper handling (strong salted hashing, MFA) significantly protects users.

Since password breaches are common and damaging and improper storage is a serious, frequent vulnerability, and since understanding secure storage (never plaintext, strong salted slow hashing with bcrypt/Argon2) and good practices (MFA, rate-limiting) is essential for protecting users, understanding secure password storage and handling is essential, must-know security knowledge — a critical, high-stakes area where the correct approach (dedicated password hashing, salting, MFA) prevents the catastrophic password breaches that improper handling causes, fundamental knowledge for any developer handling authentication.