Security 6 min read

5 Ways You're Storing Passwords Wrong (And How Hackers Exploit It)

Most AI-generated apps store passwords insecurely. If hackers get your database, they'll have every user's password in seconds. Here's what you need to fix.

Here's a scary truth: When hackers breach a database, the first thing they do is steal the passwords.

If you're storing them wrong, they don't even need to crack anything. They just read them directly from your database and log in as your users.

ChatGPT and Claude often generate insecure password storage code. Let's fix it before someone exploits it.

1 Storing Passwords in Plain Text

What it looks like:

// ❌ NEVER DO THIS
db.users.insert({
    email: "user@example.com",
    password: "mySecretPassword123"
})
                    

Why it's catastrophic: If anyone gets access to your database—through a hack, a disgruntled employee, or a backup left in the wrong place—they see every password immediately. No cracking required.

Real consequences:

Hackers log in as your users on your site
They try those passwords on Gmail, bank accounts, social media (most people reuse passwords)
Your users get hacked on multiple sites because YOU leaked their password
Lawsuits, GDPR fines up to $20 million, complete loss of trust

2 Using Simple Encryption (MD5, SHA-1, SHA-256 Without Salt)

What it looks like:

// ❌ STILL WRONG
const hashedPassword = md5(password);
// or
const hashedPassword = sha256(password);
                    

Why it fails: These are hashing algorithms, not encryption—but they're designed for speed, not security. Hackers use "rainbow tables" (pre-computed hashes of common passwords) to reverse them instantly.

How fast can hackers crack MD5?

On a gaming PC: 200 billion passwords per second
Common 8-character password: Cracked in under 1 second
With rainbow tables: Instant for common passwords

The fix isn't just adding salt—you need a SLOW hashing algorithm designed for passwords.

3 Using Encryption Instead of Hashing

What it looks like:

// ❌ WRONG APPROACH
const encryptedPassword = encrypt(password, secretKey);
db.save({ email, password: encryptedPassword });
                    

The problem: Encryption is reversible. If someone gets your encryption key (and they will—it's in your code or env file), they decrypt ALL passwords at once.

You need hashing, not encryption:

Encryption: Can be reversed with a key → Bad for passwords
Hashing: One-way transformation, can't be reversed → Good for passwords

4 Not Using a Salt (Or Using the Same Salt for Everyone)

What it looks like:

// ❌ BETTER BUT STILL WRONG
const salt = "my_app_salt_2024"; // Same for all users
const hashedPassword = hash(password + salt);
                    

Why this fails: If two users have the same password, they'll have the same hash. Hackers can use rainbow tables pre-computed with your salt.

What you need: A unique, random salt for EVERY user. Store it alongside the hashed password.

5 Using a Fast Hashing Algorithm

What it looks like:

// ❌ LOOKS SECURE BUT ISN'T
const salt = randomBytes(16);
const hashedPassword = sha512(password + salt);
                    

The problem: SHA-512 is fast. That's great for checksums, terrible for passwords. A hacker with a GPU can try billions of passwords per second.

You need SLOW algorithms: bcrypt, argon2, or scrypt. They're designed to be computationally expensive so brute-force attacks take years instead of minutes.

The Right Way: bcrypt

Here's how to store passwords securely. It's actually simpler than the wrong ways:

Node.js Example (bcrypt):

// ✅ CORRECT
const bcrypt = require('bcrypt');

// When user signs up or changes password:
const saltRounds = 10;
const hashedPassword = await bcrypt.hash(password, saltRounds);
db.save({ email, password: hashedPassword });

// When user logs in:
const user = await db.findOne({ email });
const isValid = await bcrypt.compare(password, user.password);
if (isValid) {
    // Log them in
}
                

Python Example (bcrypt):

# ✅ CORRECT
import bcrypt

# When user signs up:
hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
db.save({'email': email, 'password': hashed})

# When user logs in:
user = db.find_one({'email': email})
if bcrypt.checkpw(password.encode('utf-8'), user['password']):
    # Log them in
                

Why bcrypt is great:

Automatically generates a random salt for each password
Intentionally slow—takes ~100ms to hash (vs nanoseconds for SHA-256)
Adjustable difficulty: Increase saltRounds as computers get faster
Industry standard, battle-tested for decades

✅ Even Better: Use argon2

Argon2 won the Password Hashing Competition in 2015. It's the most secure option available:

// Node.js with argon2
const argon2 = require('argon2');

const hashedPassword = await argon2.hash(password);
const isValid = await argon2.verify(user.password, password);
                    

Both bcrypt and argon2 are excellent. Pick one and stick with it.

Don't Roll Your Own Crypto

You might think: "I'll create my own super secure password system by combining MD5 with SHA-256, double salting, and reversing the string!"

Don't.

Security experts have spent decades designing bcrypt and argon2. They've thought of attacks you haven't. They've fixed vulnerabilities you don't know exist.

Use the battle-tested libraries. That's what pros do.

Migration: Fixing Existing Passwords

If you already launched with insecure passwords, here's how to fix it:

Option 1: Force Password Reset (Clean but annoying)

Add a password_secure column to your users table
On next login, if password_secure is null, force a password reset
Store the new password with bcrypt
Set password_secure = true

Option 2: Gradual Migration (Invisible to users)

Keep old password column
Add new password_hash column
On login: verify old password, then re-hash with bcrypt and save to new column
After 90 days, delete old password column

Check If Your Passwords Are Secure

VibeCheck scans your code to see how you're storing passwords and warns you if you're using insecure methods.

Scan My Code Free →

Quick Security Checklist

Before you launch, verify:

✅ Using bcrypt or argon2 (not MD5, SHA, or plain text)
✅ Each password has a unique salt (automatic with bcrypt/argon2)
✅ Using at least 10 rounds/iterations (default is fine)
✅ Passwords never stored or logged in plain text anywhere
✅ Password reset tokens expire after 1 hour
✅ Users can't set common passwords like "password123"

The Bottom Line

Password security sounds complicated, but it's actually simple:

1. Install bcrypt or argon2
2. Use it to hash passwords
3. Never look back

That's it. Two lines of code to protect your users from catastrophic data breaches.

Don't let AI-generated code put your users at risk. Fix password storage now, sleep better tonight.