Why never log passwords or hashes?
Logs are often shipped to centralized systems with broader access than the database. A password or hash in logs is a leak waiting to happen. Filter sensitive fields from logs or use a logger that redacts them.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Common Password Hashing Mistakes (and How to Avoid Them)
Plain text, fast hashes (SHA-256), no salt, low rounds, sync hashing in request handlers, returning passwordHash in responses, logging passwords or hashes, rehashing on every save, not handling updates, and mixing purposes.
It is a fast hash, not a password hash. Fast means brute-forcing a list of hashes is fast. Password hashes (bcrypt, argon2) are slow on purpose, which makes brute-force expensive.
It blocks the event loop. Other requests stall while the hash runs. Use the async API (await bcrypt.hash). In Mongoose, use a pre('save') hook with async/await.
Still have questions?
Browse all our FAQs or reach out to our support team
