Security

What is Hashing?

A one-way mathematical function that converts data into a fixed-size string of characters. Unlike encryption, hashing cannot be reversed — you can only verify if input matches a known hash.

In plain English

Hashing is like a fingerprint. You can't reconstruct a person from their fingerprint, but you can check if a fingerprint matches a person on file. Similarly, you store the hash of a password and later check if a submitted password produces the same fingerprint.

How it works

A hash function takes input of any length and produces a fixed-length output. The same input always produces the same hash, but even a tiny change in input produces a completely different hash. For password storage, algorithms like bcrypt add a random 'salt' to each password before hashing, so even identical passwords produce different hashes.

Why it matters for AI-built apps

Password storage is the most critical use of hashing. AI tools frequently generate code that stores passwords in plain text or uses fast, insecure hash functions like MD5 or SHA-256 (which are designed for speed, not security). A single database leak with poorly hashed passwords can compromise millions of accounts.

Common issues

Using MD5 or SHA-family hashes for passwords (too fast, easily brute-forced), not using salts (enabling rainbow table attacks), using a single global salt instead of per-password salts, and confusing encoding (like Base64) with hashing. AI-generated code frequently uses crypto.createHash('sha256') for passwords instead of bcrypt.

Best practices

Always use bcrypt, scrypt, or argon2 for password hashing — never MD5, SHA-1, or SHA-256. These algorithms are intentionally slow, making brute-force attacks impractical. Use a unique salt per password (bcrypt does this automatically). Set a high enough cost factor that hashing takes at least 250ms. Use SHA-256 only for data integrity checks, not password storage.

Frequently asked questions

My app uses SHA-256 for passwords — is that secure?

No. SHA-256 is a fast hash designed for data integrity, not password storage. Modern GPUs can compute billions of SHA-256 hashes per second, making brute-force attacks trivial. Switch to bcrypt or argon2, which are deliberately slow and designed for password hashing.

What is a 'salt' in hashing and why does it matter?

A salt is random data added to a password before hashing. Without a salt, two users with the same password would have identical hashes — and attackers can use precomputed 'rainbow tables' to crack them instantly. Salting ensures each hash is unique. Bcrypt handles salting automatically.

How we can help

Security Review

Deep security analysis of your application — from API endpoints to database access.

Fix Bugs

We diagnose and fix bugs in AI-generated apps — from mysterious crashes to features that just don't work right.

Check your app

Get a professional review of your app at a fixed price.

Security Scan

Black-box review of your public-facing app. No code access needed.

$19
  • OWASP Top 10 checks
  • SSL/TLS analysis
  • Security headers
  • Expert review within 24h
Get Started

Code Audit

In-depth review of your source code for security, quality, and best practices.

$19
  • Security vulnerabilities
  • Code quality review
  • Dependency audit
  • AI pattern analysis
Get Started
Best Value

Complete Bundle

Both scans in one package with cross-referenced findings.

$29$38
  • Everything in both products
  • Cross-referenced findings
  • Unified action plan
Get Started

100% credited toward any paid service. Start with an audit, then let us fix what we find.

Related terms

EncryptionAuthenticationData BreachInput Validation

Worried about hashing in your app?

Get a professional code audit ($19) or book a free call to discuss your concerns.

Tell Us About Your App