Password Security Intuition

Format: Understand the correct way to store passwords.

Ranking exercise -- Rank the following password storage methods from worst to best:

1. Plaintext storage (password = "abc123")
2. MD5 hash (already cracked, insecure)
3. SHA-256 hash (better than MD5, but still vulnerable to rainbow table attacks)
4. bcrypt/Argon2 salted hash (recommended approach, Argon2 is the latest standard)
5. Don't store passwords -- use OAuth ("Sign in with Google")

Discussion questions:

• Why can't you use MD5? (Search "MD5 rainbow table" for the answer)
• What is "salting"? (Adding a random string to the password before hashing)
• If a user forgets their password, can you recover it? (If you can, your storage is insecure)