Password Hashing

تجزئة كلمات المرور

IntermediateSecurity1 min read
password-hashingbcryptargon2password-storage

Definition

The process of transforming passwords into irreversible fixed-length strings using purpose-built slow hashing algorithms — so that stored passwords cannot be recovered even if the database is stolen.

عملية تحويل كلمات المرور إلى سلاسل ذات طول ثابت غير قابلة للعكس باستخدام خوارزميات تجزئة بطيئة — بحيث لا يمكن استرداد كلمات المرور المُخزَّنة حتى لو سُرقت قاعدة البيانات.

Why It Matters

If you store plaintext passwords or use fast hashes (MD5, SHA-1), a database breach immediately exposes all user passwords. With bcrypt, cracking each hash requires months of GPU computation.

إذا خزّنت كلمات المرور النصية أو استخدمت تجزئات سريعة، يكشف اختراق قاعدة البيانات جميع كلمات المرور فوراً. مع bcrypt، يتطلب كسر كل تجزئة أشهراً من حساب GPU.

Full Definition

Password hashing converts a plaintext password into a hash — a one-way transformation. Authentication works by hashing the provided password and comparing to the stored hash. Use slow, memory-hard algorithms: bcrypt, scrypt, or Argon2id (recommended for new apps). NOT SHA-256 or MD5 — these are too fast for password storage. Use a unique salt per password to prevent rainbow table attacks. Set a work factor that makes each hash take ~100-300ms, making brute-force prohibitively expensive.
تُحوّل تجزئة كلمات المرور كلمة المرور إلى تجزئة أحادية الاتجاه. استخدم خوارزميات بطيئة: bcrypt أو Argon2id (الموصى به). ليس SHA-256 أو MD5. استخدم ملحاً فريداً لكل كلمة مرور لمنع هجمات جدول قوس قزح.

Example Usage

If you store plaintext passwords or use fast hashes (MD5, SHA-1), a database breach immediately exposes all user passwords. With bcrypt, cracking each hash requires months of GPU computation.

إذا خزّنت كلمات المرور النصية أو استخدمت تجزئات سريعة، يكشف اختراق قاعدة البيانات جميع كلمات المرور فوراً. مع bcrypt، يتطلب كسر كل تجزئة أشهراً من حساب GPU.

Knowledge Graph

Avoid these mistakes when using Password Hashing:

1

Using MD5 or SHA-256 for passwords → These are designed to be fast, making GPU brute-force trivial. Use bcrypt (cost 12+) or Argon2id instead.

2

Not using a salt → Without salting, identical passwords produce identical hashes, enabling rainbow table attacks. Always generate a unique random salt per password.

3

Using a global salt (pepper) instead of per-user random salts → A single leaked pepper compromises all passwords at once. Use per-user random salts.

Sign in to unlock guided AI explanations from AI Teacher.

Generate a Prompt

Copy this prompt and use it directly with any AI model — no setup needed.

Ready-to-Use Prompt
Help me build a project using Password Hashing.

Explain:
1. What is Password Hashing and why it matters
2. The core architecture and required tools
3. Step-by-step implementation plan
4. Common mistakes to avoid: Using MD5 or SHA-256 for passwords → These are designed to be fast, making GPU brute-force trivial. Use bcrypt (cost 12+) or Argon2id instead., Not using a salt → Without salting, identical passwords produce identical hashes, enabling rainbow table attacks. Always generate a unique random salt per password., Using a global salt (pepper) instead of per-user random salts → A single leaked pepper compromises all passwords at once. Use per-user random salts.
5. Best practices and production tips

Official Resources

No official documentation link on file for Password Hashing yet.