Skip to content
Latchkey

What Is Password Hashing? Storing Credentials Safely

Password hashing stores a one-way transform of a password so that even a stolen database does not reveal the original passwords.

Password hashing is how responsible systems store credentials. Instead of keeping the password, you keep a hash, a one-way function output that cannot be reversed to recover the password. When a user logs in, you hash their input and compare. Done right, with salting and a slow algorithm, a stolen database is far less damaging.

Why not store passwords directly

Storing plaintext passwords means a single database breach exposes every credential, and people reuse passwords across sites. Hashing ensures the stored value cannot be turned back into the password, so a breach does not immediately hand attackers working logins.

Hashing is one-way

  • A hash function maps input to a fixed-size output.
  • You cannot reverse the output back to the input.
  • You verify by hashing the candidate and comparing outputs.

Salt and slowness

A safe scheme adds a unique salt per password (defeating precomputed tables) and uses a deliberately slow function. Slowness is a feature here: it makes mass guessing expensive without noticeably affecting a single legitimate login.

The right algorithms

General-purpose hashes like SHA-256 are too fast for passwords. Purpose-built password hashes, bcrypt, scrypt, and Argon2, are intentionally slow and tunable. Using a fast hash for passwords is a classic, dangerous mistake.

Password hashing and CI/CD

If your application handles passwords, that code is high-risk and warrants focused security review in the pipeline. Static analysis and dependency scans in CI can catch weak hashing libraries or misconfigurations before they reach production.

Keep test data clean

Pipelines should never seed real credentials or commit password material. Test fixtures must use throwaway values, and secret scanning in CI helps catch any password or key that slips into the repository.

Key takeaways

  • Password hashing stores an irreversible transform, not the password itself.
  • Safe hashing uses a unique salt and a deliberately slow algorithm.
  • Use bcrypt, scrypt, or Argon2; never a fast hash like SHA-256 for passwords.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →