Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Security
Securitymedium

How should passwords be stored securely?

Tags
#passwords#hashing#security
Back to categoryPractice quiz

Answer

Store passwords as salted, slow hashes (Argon2id, bcrypt, or scrypt). Never store plaintext or reversible encryption. Use per-user salts, optional pepper, and enforce strong password policies.

Advanced answer

Deep dive

Secure password storage means resisting offline attacks:

  • Use Argon2id (preferred), bcrypt, or scrypt with tuned cost parameters.
  • Unique per-user salt; optional pepper stored separately (HSM/secret manager).
  • Rate limit login attempts; lock or step-up MFA on suspicious activity.
  • Rehash on login when cost parameters increase.

Examples

Upgrade cost on login:

if (needsRehash(hash)) { newHash = hashPassword(password) }

Common pitfalls

  • Reversible encryption or storing the encryption key in the same DB.
  • Using fast hashes (MD5/SHA1) or reusing a global salt.
  • Storing password hints or sending passwords via email.

Interview follow-ups

  • When would you add a pepper and where would you store it?
  • How do you migrate existing hashes to a stronger scheme?
  • How do you protect against credential stuffing?

Related questions

Security
Authentication vs authorization — what’s the difference, with examples?
#authn#authz#security
Security
What is threat modeling, and how do you run a lightweight threat model for a feature?
#threat-modeling#risk#security
DevOps
What are best practices for secure and small Docker images?
#docker#containers
#security
DevOps
Configuration vs secrets — how should you manage them in DevOps?
#secrets#config#security