When you create an account on any website…
You type your password and click Sign Up.
But here’s the question:
👉 Where does your password actually go?
👉 Is it stored as plain text?
If yes… that’s a disaster.
Let’s understand how real systems store passwords securely 👇
⚠️ First: What NOT to Do
The worst way to store passwords:
Password: mypassword123
If a database gets leaked:
👉 All user accounts are instantly compromised
This is called plain text storage
And no serious company does this.
🔒 Step 1: Hashing (One-Way Conversion)
Instead of storing the real password…
Systems store a hashed version.
Example:
mypassword123 → 482c811da5d5b4bc6d497ffa98491e38
👉 This is called hashing
Important:
- It’s one-way
- You cannot convert it back to original password
So even if database leaks:
👉 Attackers don’t see actual passwords
🧂 Step 2: Salting (Extra Security Layer)
Problem with hashing:
If two users have same password → same hash
That’s risky.
Solution:
👉 Add a salt (random value) before hashing
Example:
Password: mypassword123
Salt: XyZ@91
Final: mypassword123 + XyZ@91 → Hash
Now:
- Same password ≠ same hash
- Makes attacks much harder
⚡ Step 3: Bcrypt (Smart Hashing)
Basic hashing is not enough today.
Hackers use:
- GPU attacks
- Rainbow tables
So we use Bcrypt.
👉 Bcrypt is a hashing algorithm designed for passwords
It:
- Automatically adds salt
- Is intentionally slow
- Makes brute-force attacks difficult
Example:
$2b$10$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36n3c1t9v9Z8u1l9ZQFQO7e
🔄 How Login Actually Works
When you login:
- You enter password
- System hashes it again
- Compares with stored hash
If match:
👉 Access granted
No password is ever “decrypted”
🧠 Simple Flow
👉 User Password → Add Salt → Hash (Bcrypt) → Store
That’s it.
⚠️ Common Mistakes Developers Make
- Storing plain text passwords ❌
- Using fast hashing (like MD5, SHA1) ❌
- Not using salt ❌
👉 These make systems vulnerable
🎯 Best Practices
- Always use Bcrypt (or Argon2)
- Never store raw passwords
- Use strong password policies
- Add rate limiting for login attempts
🚀 Final Thought
Users trust your system with their data.
If passwords are not stored securely:
👉 You are risking their identity
As a developer:
Security is not optional
👉 It’s your responsibility
Now when you click “Sign Up” anywhere…
You know exactly what’s happening behind the scenes 💙
Top comments (0)