That's still not perfect though!

Most leaked passwords online come initially from leaked hashes, which bad actors use tools like hashcat to crack.

If your user has a password like "password123" and the hash gets out, then the password is effectively out too, since people can easily lookup the hash of previous cracked passwords like "password123".

▲

csnover 9 days ago | parent | next [-]

No. This is why salts[0] are used.

[0] https://en.wikipedia.org/wiki/Salt_(cryptography)

	▲	integralid 9 days ago \| parent \| next [-]
		This is how it should be done. But it still doesn't protect users fully, because attacker can try to brute-force passwords their interested in. It requires much more effort though.
	▲	incorrecthorse 9 days ago \| parent \| prev [-]
		And compute-intensive hash functions. Computers this day are powerful enough to hashcat each individual pwd+salt if a fast hashing function is used.

▲

Macha 9 days ago | parent | prev [-]

Salting already fixed this decades ago, and most modern password libraries will automatically generate and verify against a hash like <method>$salt$saltedhash if you use them instead of rolling your own.