Passwords and Hashes: Storage, Verification, and Algorithm Choice

Why MD5 must not store passwords, when to use bcrypt vs SHA-256, and how to use Towalles tools safely for local verification and learning.

· All guides

Hashing is not encryption

Hashing is a one-way digest: same input yields same output; you cannot reverse the digest to get the original. Encryption is reversible with a key. Password storage must use one-way hashing + salt + slow algorithms—never encrypt-and-store; one key leak exposes all passwords. hash-generator helps understand MD5, SHA-256 digest behavior but must not be used for password storage.

SHA-256 suits file checksums, blockchain, API signatures—fast, deterministic integrity. Passwords need intentional slowness: bcrypt, scrypt, Argon2 use cost factors against brute force. Towalles bcrypt tool demonstrates rounds and hash format for learning; production must use mature server-side libraries.

Password policy and generation

Strong passwords are not endless complexity rules. Modern NIST guidance: length first (12+ chars), check breach databases (Have I Been Pwned), avoid forced rotation that drives sticky notes. password-generator creates random passphrases; password-strength evaluates entropy and weak patterns for team training—never collect real employee passwords for testing.

Multi-factor authentication (MFA) beats longer passwords alone. Tool sites cannot replace identity providers—implement OAuth, WebAuthn, TOTP in your app architecture. Local generators suit test account passwords; replace with secrets management or env-injected credentials before deployment.

API signatures and HMAC

Webhooks and open APIs often use HMAC-SHA256 to verify request bodies: client and server share a secret, compute MAC over a canonical string, and compare. This differs from password hashing—HMAC needs a secret and constant-time comparison against timing attacks. hmac-generator reproduces doc examples locally to verify your implementation matches official SDK output.

Never paste production secrets into any online tool (Towalles included). Use redacted samples or rotated old keys for integration testing. Combining hash-generator and hmac-generator clarifies the boundary between digest, keyed digest, and JWT signing—a frequent backend interview and code review topic.

Related tools