Storing passwords safely
This page needs a recent browser (with SharedArrayBuffer support). Please update Chrome, Edge, Firefox or Safari to the latest version.
The big rule: never store plain passwords
- If a website stores your password as plain text and gets hacked, every password is stolen instantly.
- Instead, sites store a hash — a scrambled fingerprint that cannot be reversed back into the password.
What is a hash?
- A hash function turns any input into a fixed-length string. The same input always gives the same hash.
- It is one-way: easy to compute forwards, practically impossible to reverse.
- When you log in, the site hashes what you typed and compares it to the stored hash — it never sees your actual password again.
import hashlib
print(hashlib.sha256(b"hello").hexdigest())
Add salt
- If two users pick the same password, their hashes match — a clue for attackers.
- A salt is a random string added before hashing, so identical passwords get different hashes.
- It also defeats pre-computed "rainbow table" attacks. Always salt.
Your turn
- Hash
salt + passwordwith SHA-256. The check confirms you produced the correct 64-character digest.
Covers: A-Level 6.1, 17.1 (encryption/hashing).
Never store a plain password — store its hash. Using hashlib, hash the salt + password with SHA-256 and put the hex digest in a variable called digest.
Click Run to see the output here.