Password Hashing.
The one-way transformation of a password into a fixed-length string using a slow key-derivation function, designed so the original password cannot be recovered from the hash.
Hashing is not encryption — encryption is reversible with a key, hashing is one-way. Storing passwords "encrypted" is a red flag in any architecture review; the correct answer is hashed with a slow KDF, salted per user, and ideally peppered with an application-layer secret.
The recurring mistake is choosing a fast hash. SHA-256 hashes a password in microseconds, which means an attacker with a stolen database can try billions of guesses per second on commodity GPUs. The point of Argon2id, scrypt, and bcrypt is that they are deliberately slow and (for Argon2id and scrypt) memory-hard, which collapses the per-guess economics that breaks fast-hash deployments.
Go deeper: The science of password protection covers hashing, salting, and where authentication is headed.
Common questions
Is password hashing the same as encryption?
Why is SHA-256 not enough for password storage?
Which password hashing algorithm should I use in 2026?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
Password Security and Storage: Hashing, Salting, and What Actually Works in 2026
Passwords still exist, and storing them correctly still matters. The 2026 production-grade answer: Argon2id with per-user salt, optional pepper, no fast hashes, no reversible encryption.