Password Hashing with bcrypt

When users sign up for an app, they trust it to protect their passwords. Storing those passwords in plain text creates a serious vulnerability—a single breach could expose every account. To reduce this risk, password hashing is used to make it extremely difficult to recover the original passwords.

This lesson demonstrates how to use bcrypt to hash passwords during registration and verify them at login—a key step in protecting user data and maintaining privacy.

Why we hash passwords?

Hashing is the process of transforming input data—like a password—into a fixed-length string using a cryptographic hash function. A good hash function is irreversible, meaning the original input can’t be reconstructed from its hash. This property is crucial for protecting passwords—even if someone gains access to the database, they can’t retrieve the actual passwords.

When a user registers, their password is hashed before being stored. Later, during login, the password entered by the user is hashed using the same algorithm and then compared to the stored hash. If the values match, the user is authenticated.

To enhance security, we also use a technique called salting, where a random value is added to the password before hashing. This ensures that even if two users choose the same password, their hashes will differ. Salting also protects against rainbow table attacks, which rely on precomputed hash values to reverse-engineer common passwords.