密码必须安全地存储 — 绝不能以明文存储,而是应该使用强大、缓慢、加盐的密码哈希算法(bcrypt、Argon2、scrypt)进行哈希处理。正确的密码处理是关键,因为密码泄露非常普遍且危害极大。
永远不要以明文存储;正确地进行哈希处理
text
❌ NEVER store passwords in plaintext (a breach exposes all passwords directly)
❌ Don't use fast/general hashes (MD5, SHA-256) alone — too fast → easily brute-forced
✅ HASH with a dedicated PASSWORD HASHING algorithm: BCRYPT, ARGON2, or scrypt:
→ SLOW by design (resistant to brute-force/GPU cracking)
→ SALTED (a unique random salt per password) → prevents rainbow-table attacks and
identical passwords hashing the same
js
hash = bcrypt.(password, );
valid = bcrypt.(inputPassword, storedHash);