LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you securely store user passwords?

Hash with a slow, salted algorithm — bcrypt or Argon2id, never MD5/SHA1/SHA256.

Correct approach:

# Python with bcrypt
import bcrypt
# Storing
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

# Verifying
if bcrypt.checkpw(input_password.encode(), stored_hash):
    authenticate_user()

Why bcrypt/Argon2 and not SHA-256?

Algorithm Speed Purpose For passwords?
MD5/SHA1 ~billions/sec Checksums, integrity Never (fast = easy to crack)
SHA-256 ~millions/sec Digital signatures No (still too fast)
bcrypt ~few thousand/sec Password hashing Yes (deliberately slow)
Argon2id Configurable Password hashing Yes (memory-hard, resists GPU attacks)

Why slow is good: An attacker cracking passwords needs to try billions of guesses. If each guess takes 0.1 seconds instead of 0.000001 seconds, cracking becomes infeasible.

The salt ensures identical passwords produce different hashes, defeating rainbow table attacks.

See: OWASP Password Storage Cheat Sheet

Go deeper:

  • doc bcrypt (Wikipedia) — the adaptive work factor and why a deliberately slow hash resists brute force.
  • doc Argon2 (Wikipedia) — the memory-hard winner of the Password Hashing Competition and its i/d/id variants.

From Quiz: SPRG / Authentication & Session Management | Updated: Jul 14, 2026