Why is SHA-256 bad for passwords?
It is a fast hash, not a password hash. Fast means brute-forcing a list of hashes is fast. Password hashes (bcrypt, argon2) are slow on purpose, which makes brute-force expensive.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Common Password Hashing Mistakes (and How to Avoid Them)
Plain text, fast hashes (SHA-256), no salt, low rounds, sync hashing in request handlers, returning passwordHash in responses, logging passwords or hashes, rehashing on every save, not handling updates, and mixing purposes.
It blocks the event loop. Other requests stall while the hash runs. Use the async API (await bcrypt.hash). In Mongoose, use a pre('save') hook with async/await.
Without the check, every save rehashes the existing hash. Profile updates would rehash the already-hashed password, breaking login. Use if (!this.isModified('passwordHash')) return next();
Still have questions?
Browse all our FAQs or reach out to our support team
