What is password hashing?

The database never stores your actual password. It stores a hash — a one-way transformation that turns your password into a long, random-looking string.

How it works

1. You sign up with the password mypassword123.
2. The server runs it through a hashing function (bcrypt) and gets something like $2a$12$LJ3m4....
3. The server stores that hash in the database — not your password.
4. When you log in, the server hashes what you typed and compares it to the stored hash.
5. If they match, you're in. If not, login fails.

Why not just store the password?

If someone steals the database, they get every user's password — and many people reuse passwords across websites. With hashing, the attacker gets hashes, which are extremely hard to reverse back into passwords.

Why bcrypt?

Regular hash functions (like SHA-256) are fast — too fast. An attacker can try billions of guesses per second. Bcrypt is deliberately slow: it takes about 250 milliseconds to hash one password. That's imperceptible to a user logging in, but it means an attacker can only try a few guesses per second instead of billions.