🧱 Why You Should Never Store Actual Passwords

Storing the actual password (even encrypted) creates massive risks:


❗ Problem 1: If the database is compromised, all user accounts are compromised

  • Even if passwords are encrypted, they can often be decrypted (because encryption is reversible).

  • Attackers who get your encryption key can recover every user’s password.


🔐 Hashing = One-Way Street

  • With hashing, even if someone steals your database, they can’t get back the original password.

  • Because hashing is non-reversible by design.

Example:

User’s password: qwerty123

You store: SHA256("qwerty123") = b1f6...

No matter what — you can’t “unhash” that value.


💥 But What If Two Users Use the Same Password?

Good catch — that’s why we salt passwords:

salt = random(16 bytes)
hash = SHA256(salt + password)
store: [salt, hash]

Now even if two users use "qwerty123", they’ll have different stored hashes.


🔄 Why Not Just Encrypt Passwords?

Even if you encrypt passwords:

  • Someone who steals your database + key can decrypt them.

  • Passwords can be exposed by accident (e.g., logging decrypted values).

  • It violates the principle of least privilege: you shouldn’t need to know the password, only whether it matches.


🔑 TL;DR – Always Hash Passwords Because:

🔥 Risk🔐 Solution
Users reuse passwordsHashing protects them from reuse leaks
Database leaksHashed values are useless to attackers
Insider threatYou (the dev) shouldn’t know users’ passwords
Legal complianceGDPR, HIPAA, etc. require best practices like hashing