TL;DR
Never store passwords in plain text. Use bcrypt, argon2, or scrypt with automatic salting and appropriate work factors. These prompts help you implement password hashing correctly, migrate existing plain text passwords, and verify hashes securely.
Implement Password Hashing
Add bcrypt password hashing to my user registration and login.
Language: JavaScript/TypeScript/Python
Requirements:
- Hash password on registration with bcrypt
- Verify password on login
- Use cost factor of 12 (adjust for your server)
- Handle async operations properly
- Clear plain text password from memory after hashing
Create helper functions:
- hashPassword(plainText) -> hash
- verifyPassword(plainText, hash) -> boolean
Also add:
- Password strength validation before hashing
- Timing-safe comparison
- Error handling for invalid hashes
Show me how to integrate with my user model.
Argon2 (Recommended for New Projects)
Implement argon2 password hashing (more secure than bcrypt).
Language: JavaScript/TypeScript/Python
Use argon2id variant with recommended parameters:
- Memory: 64MB (65536 KB)
- Iterations: 3
- Parallelism: 4
- Hash length: 32 bytes
Create:
- hashPassword function with argon2id
- verifyPassword function
- Configuration object for parameters
- Migration helper from bcrypt to argon2
Handle:
- Systems with limited memory (fallback params)
- Async operations
- Error cases (invalid hash format)
Include parameter tuning guidance for my server specs.
Never use MD5, SHA1, or SHA256 alone for passwords: These are fast hashes designed for data integrity, not password storage. Attackers can try billions per second. Use bcrypt, argon2, or scrypt which are intentionally slow.
Migrate Plain Text Passwords
My database has passwords stored in plain text. Create a migration plan.
Current state: passwords in plain text in users table
Migration strategy:
- Add new 'password_hash' column
- Keep old 'password' column temporarily
- On each login, check old password and migrate to hash
- Background job to force-reset unmigrated accounts
- Eventually remove old column
Implementation needed:
- Migration script to add column
- Updated login flow that handles both
- Background job for forced resets
- Audit logging for migration progress
- Rollback plan if issues occur
Timeline: All passwords migrated within 30 days After migration: Force password reset for stragglers
Rehashing on Login
Implement automatic rehashing when hash parameters are outdated.
Scenario: I increased bcrypt cost from 10 to 12 Old users have cost=10 hashes
On successful login:
- Verify password against existing hash
- Check if hash uses current parameters
- If outdated, rehash with new parameters
- Update stored hash
Implement:
- Function to check if hash needs upgrade
- Rehash and save after successful verification
- Support multiple hash algorithms (for migrations)
- Logging for rehash events
This ensures all active users get upgraded hashes without requiring password resets.
Pro tip: Test your hash time on your production server. Bcrypt cost 12 should take 200-400ms. Adjust up or down based on your hardware and acceptable login latency.
Bcrypt or Argon2?
Argon2 is newer and generally recommended for new projects. Bcrypt is battle-tested and perfectly fine. Either is vastly better than MD5/SHA. The most important thing is using one of them correctly.
What cost factor should I use?
For bcrypt, start with 12 and measure. It should take 200-400ms on your server. Argon2 parameters should use as much memory as you can afford (64MB+) with 3+ iterations.