Facebook Pixel

Why is SHA-256 bad for passwords?

It is a fast hash, not a password hash. Fast means brute-forcing a list of hashes is fast. Password hashes (bcrypt, argon2) are slow on purpose, which makes brute-force expensive.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Common Password Hashing Mistakes (and How to Avoid Them)

Plain text, fast hashes (SHA-256), no salt, low rounds, sync hashing in request handlers, returning passwordHash in responses, logging passwords or hashes, rehashing on every save, not handling updates, and mixing purposes.

It blocks the event loop. Other requests stall while the hash runs. Use the async API (await bcrypt.hash). In Mongoose, use a pre('save') hook with async/await.

Without the check, every save rehashes the existing hash. Profile updates would rehash the already-hashed password, breaking login. Use if (!this.isModified('passwordHash')) return next();

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.