Quiz Entry - updated: 2026.07.14
How do you securely store user passwords?
Hash with a slow, salted algorithm — bcrypt or Argon2id, never MD5/SHA1/SHA256.
Correct approach:
# Python with bcrypt
import bcrypt
# Storing
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
# Verifying
if bcrypt.checkpw(input_password.encode(), stored_hash):
authenticate_user()
Why bcrypt/Argon2 and not SHA-256?
| Algorithm | Speed | Purpose | For passwords? |
|---|---|---|---|
| MD5/SHA1 | ~billions/sec | Checksums, integrity | Never (fast = easy to crack) |
| SHA-256 | ~millions/sec | Digital signatures | No (still too fast) |
| bcrypt | ~few thousand/sec | Password hashing | Yes (deliberately slow) |
| Argon2id | Configurable | Password hashing | Yes (memory-hard, resists GPU attacks) |
Why slow is good: An attacker cracking passwords needs to try billions of guesses. If each guess takes 0.1 seconds instead of 0.000001 seconds, cracking becomes infeasible.
The salt ensures identical passwords produce different hashes, defeating rainbow table attacks.
See: OWASP Password Storage Cheat Sheet
Go deeper:
bcrypt (Wikipedia) — the adaptive work factor and why a deliberately slow hash resists brute force.
Argon2 (Wikipedia) — the memory-hard winner of the Password Hashing Competition and its i/d/id variants.