Facebook Pixel

Why never log passwords or hashes?

Logs are often shipped to centralized systems with broader access than the database. A password or hash in logs is a leak waiting to happen. Filter sensitive fields from logs or use a logger that redacts them.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Common Password Hashing Mistakes (and How to Avoid Them)

Plain text, fast hashes (SHA-256), no salt, low rounds, sync hashing in request handlers, returning passwordHash in responses, logging passwords or hashes, rehashing on every save, not handling updates, and mixing purposes.

It is a fast hash, not a password hash. Fast means brute-forcing a list of hashes is fast. Password hashes (bcrypt, argon2) are slow on purpose, which makes brute-force expensive.

It blocks the event loop. Other requests stall while the hash runs. Use the async API (await bcrypt.hash). In Mongoose, use a pre('save') hook with async/await.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.