We all sign up for email accounts, bank accounts, shopping accounts, social media accounts, and many more. For every one of these accounts, you need a password, and you expect that these sites will take care of your login credentials. However, have you ever thought about how your password is handled once you press the ‘Sign Up’ button? This is where password hashing comes in. Instead of saving your password directly, they hash it so that it becomes hard to decode. This is one of the key components of keeping your personal information safe from hackers.
In this Password Hashing Explained guide, you’ll learn what password hashing is, how it works, why it is important, and the security practices developers use to keep passwords safe.
Password Hashing Explained: What Is Password Hashing?
To understand Password Hashing Explained, let’s start with the basics.
Password hashing is the procedure of transforming the password into a string of a certain length, which is termed a hash. Hash is a random sequence of letters and numbers and is computed by using a mathematical formula, which is called a hash function.

It should be mentioned that this operation is meant to be a one-way procedure. Although it is very easy to generate a hash from a password, it is almost impossible to generate the original password from a hash.
Thus, even though some unauthorised person manages to get the hash, they will not be able to know the password.
Why Do Websites Use Password Hashing?
One of the most prominent factors that led to the creation of password hashing is to protect websites from saving passwords in plain text.
Let’s say a company saves all its customers’ passwords as they were input by them. Now, if the passwords happen to get stolen, the hackers will have access to everyone’s passwords. This poses a great risk because many users use the same password for different websites.
What a secure website should do is:
- Create an account and select a password.
- Hash the password on their end.
- Save the hash only, not the actual password, in the database.
During login,
- Input your password.
- Hash the password once again.
- Compare the newly generated hash with the saved one.
- If they match, you get logged in.
Password Hashing Explained: Hashing vs Encryption
A common misconception about hashing is its confusion with encryption, yet they have different functions.
Encryption is when information is made illegible by use of some private key, which can then decrypt the encrypted information.
Encryption works great in cases where we will need to decipher the information at some point, for example, when sending a message or file.
Contrary to encryption, hashing cannot be reversed easily since once the password has been hashed, there is no key that will just reverse it to retrieve your password.
This means that password hashing is more secure than encryption when storing passwords since even the website doesn’t need to know your password after it’s stored.
What Is Salt, and Why Does It Matter?
One of the most important concepts in Password Hashing Explained is the use of a salt.
Salt is a randomly generated value that gets added to the password prior to hashing.
If there were two users who used the same password:
Password: Welcome123
Without adding salt, the two users would have the same hashes, which could assist an attacker to find out commonly used passwords if the database got stolen by the attacker.
After adding a random salt value to each password, the hashes obtained will be totally different.
Example:
- User A: Password + Salt A = Hash A
- User B: Password + Salt B = Hash B
Both users used the same password; however, their hashes are not the same.
The salt is stored along with the hash since it is required for the authentication of the password in the subsequent login attempts.
Understanding Pepper in Password Security
In addition to salts, there is another security technique that often goes hand in hand with the use of salts; that is called a pepper. Unlike a salt, a pepper is used in a different way.
While salts are usually unique for each user, a pepper is an application-wide secret that is kept separate from the password database. It can be kept in a separate secure file or key management system.
So we have:
Password + Salt + Pepper → Hash
Even in case the attackers have stolen the password database, they will still lack the pepper.
Why Slow Hashing Makes Passwords Safer
However, not all hash functions are equally secure. The older hash functions such as MD5 and SHA-1, are extremely fast. While speed is a benefit in many cases, it is a drawback when securing passwords.
With the development of hardware technology, modern computers (especially computers equipped with high-performing graphics accelerators) are capable of testing billions of password combinations per second with fast hash functions.
To prevent brute-force attacks, developers apply specialised hash functions for passwords that were specially created to take longer and be more computationally intensive to execute.
Among the most reliable password hash functions are the following:
- Argon2
- bcrypt
- scrypt
- PBKDF2
These algorithms allow developers to increase the amount of work required to calculate each hash. As a result, brute-force attacks become much slower and more expensive.
Password Hashing Explained: How the Entire Process Works
Now let’s put everything together.
Registration Process
When creating an account:
- The password is chosen by the user.
- The password is transmitted via an HTTPS connection.
- The server creates a random salt.
- The password is combined with the salt and sometimes with pepper.
- Hash is created using a secure hashing algorithm.
- The hash, salt, and hashing algorithm settings are stored by the server.
- The actual password never gets stored in the database.
Login Process
During login process:
- User enters the password.
- The server obtains the stored salt.
- The password is hashed with the same settings.
- The newly created hash is compared with the stored one.
- When the hashes match, the user is authenticated.
All of that is performed in milliseconds.
How Password Hashing Helps Against Cyber Attacks
Although password hashing does not prevent all cyberattacks, it greatly increases the difficulty of many attacks.
For instance, if the company’s database gets hacked, the hackers will get password hashes rather than passwords themselves. The task of obtaining the passwords will be incredibly difficult if secure hash algorithms and salts are used.
Moreover, password hashing provides protection against rainbow table attacks. Rainbow table attacks utilize large databases containing mappings between passwords and their hashes. However, this attack is useless because every password is hashed using a different salt.
It is important to note that password hashing does not protect against the credential stuffing attacks when hackers use the passwords leaked from other websites. That is why users must use different passwords for various websites.
Best Practices for Developers
Password management requires developers to adhere to certain key guidelines.
First, passwords must never be stored in plain text.
Second, current password hashing algorithms must be used, including Argon2, bcrypt, scrypt, and PBKDF2, as opposed to obsolete algorithms such as MD5 and SHA-1.
Third, each password must be assigned a random salt.
Forth, one may use a pepper, which is stored elsewhere than the database, as an additional security measure.
Last but not least, hashing configurations should be reviewed on a regular basis because computers become more powerful.
Tips for Users to Stay Safe
While the developers ensure that passwords are safely stored, the user is also a key player in safeguarding their account.
Here are a few tips that will help boost your online safety:
- Make sure to have complex and unique passwords for each of your accounts.
- Do not use the same password on more than one website.
- Always try to implement two-step verification.
- Utilize a reliable password manager to keep your passwords safe.
- Change the password right away once you find out about the breach of one of your accounts.
All of the mentioned actions go hand in hand with the process of password hashing.
Conclusion
Why It Matters Why Password Hashing Explained? This article will give you an idea of why websites do not store your actual password anymore and use only hashes to validate your identity on their web pages.
If we consider unique salts, peppers, and strong hashing algorithms, such as Argon2 or bcrypt, password hashing is one of the best solutions to prevent database leaks and any attempt at password cracking.
Even though there can be no perfect security measure, password hashing is a necessary component of contemporary cybersecurity. It works together with many other methods, such as using strong passwords, multifactor authentication, good website policies, etc., thus helping to protect countless online accounts.




