Time Remaining5:00
hardSecurityNode.js

The weak hash

A developer asked an AI assistant to hash user passwords before storing them during signup. The suggested code stores something that looks hashed, but a leaked database would let an attacker recover most passwords within seconds.

auth.js
const crypto = require('crypto');

function hashPassword(password) {
  return crypto.createHash('sha256').update(password).digest('hex');
}

function storeUser(email, password) {
  const passwordHash = hashPassword(password);
  db.users.insert({ email, passwordHash });
}

Why is this password storage scheme considered broken, even though the password is technically hashed?

SHA-256 is a fast, unsalted general-purpose hash — attackers can precompute rainbow tables or brute-force it at billions of guesses per second, unlike a slow, salted password-hashing algorithm.
SHA-256 produces a hash that's too short to be cryptographically secure.
crypto.createHash requires a callback in modern Node.js, so this function silently returns undefined.
The password should be hashed on the client before being sent to the server instead.