Why You Should Never Store Plaintext Passwords (And How Bcrypt Fixes That)

Last year I was doing a security audit on a legacy codebase and found a users table with passwords stored in plain SHA-256. No salt. No iteration. Just a straight hash. I ran a rainbow table against it and cracked 60% of the passwords in under four minutes. That project became the reason I started thinking hard about password hashing and why bcrypt still matters in 2026. The Problem with Fast Hashes SHA-256, MD5, SHA-1 -- these are all designed to be fast. That is their job. When you are verifying file integrity or building a Merkle tree, speed is a feature. When you are hashing passwords, speed is a vulnerability. A modern GPU can compute billions of SHA-256 hashes per second. That means an attacker with a decent graphics card can brute-force an eight-character password in hours, not years. The math is brutal: if your hash function is fast, your passwords are weak, regardless of what your users type in. What Makes Bcrypt Different Bcrypt was designed by Niels Provos and David Mazieres