What is password hashing and why should developers use bcrypt?

Password hashing is the process of converting a user's password into a fixed-length, irreversible string (called a hash) before storing it in a database. Instead of saving the actual password, the application stores only the hash.

For example:

Password: MySecurePass123

Hash:
$2b$12$7wXj7fS2M8dFQ2lW8q8M5eGxX9m9vLk9Qv3P5qF7bD2rN1YzE6K6K

When the user logs in, the entered password is hashed again and compared with the stored hash. If they match, authentication succeeds.

Why shouldn't passwords be stored in plain text?

If passwords are stored as plain text and the database is compromised, attackers can immediately see every user's password. Since many users reuse passwords across multiple websites, this can lead to much larger security breaches.

Hashing prevents the original password from being exposed, even if the database is leaked.

Why not use MD5 or SHA-256?

Algorithms like MD5 and SHA-256 are excellent for verifying file integrity, but they are too fast for password storage.

Modern hardware (especially GPUs) can compute billions of MD5 or SHA-256 hashes per second, making brute-force and dictionary attacks much more effective if an attacker obtains the password database.

How bcrypt improves security

bcrypt is a password hashing algorithm specifically designed for storing passwords securely.

Its key security features include:

Salting: bcrypt automatically generates a unique random salt for every password. Even if two users choose the same password, their stored hashes will be completely different.
Slow hashing: bcrypt intentionally takes longer to compute than general-purpose hash functions. This significantly slows down brute-force attacks.
Configurable cost factor: Developers can increase the work factor (cost) as hardware becomes faster, making password cracking progressively more expensive.
Example

Without salt:

Password: password123
MD5:
482c811da5d5b4bc6d497ffa98491e38

Every user with the same password gets the exact same hash.

With bcrypt:

User A:
$2b$12$X8x...

User B:
$2b$12$L9p...

Although both users chose the same password, the hashes are different because bcrypt generates a unique salt for each password.


Typical authentication flow:
User creates an account.
The application hashes the password using bcrypt.
Only the bcrypt hash is stored in the database.
During login, the entered password is hashed again using the same salt and cost factor.
If the generated hash matches the stored hash, the user is authenticated.

Example (Node.js)
const bcrypt = require("bcrypt");

const password = "MySecurePass123";

// Hash password
const hash = await bcrypt.hash(password, 12);

// Verify password
const isMatch = await bcrypt.compare(password, hash);

console.log(isMatch); // true

The number 12 is the cost factor, which controls how computationally expensive the hashing process is.

When should bcrypt be used?

bcrypt is recommended whenever an application stores user passwords, including:

User registration and login systems
Full-stack web applications
REST APIs
Mobile app backends
Enterprise authentication systems

For general data integrity (such as verifying downloaded files), use algorithms like SHA-256. For password storage, use a dedicated password hashing algorithm such as bcrypt (or modern alternatives like Argon2 or scrypt), rather than fast cryptographic hash functions.