hardSecurityNode.js
The weak hash
A developer asked an AI assistant to hash user passwords before storing them during signup. The suggested code stores something that looks hashed, but a leaked database would let an attacker recover most passwords within seconds.
auth.js
const crypto = require('crypto');
function hashPassword(password) {
return crypto.createHash('sha256').update(password).digest('hex');
}
function storeUser(email, password) {
const passwordHash = hashPassword(password);
db.users.insert({ email, passwordHash });
}Why is this password storage scheme considered broken, even though the password is technically hashed?
SHA-256 is a fast, unsalted general-purpose hash — attackers can precompute rainbow tables or brute-force it at billions of guesses per second, unlike a slow, salted password-hashing algorithm.
SHA-256 produces a hash that's too short to be cryptographically secure.
crypto.createHash requires a callback in modern Node.js, so this function silently returns undefined.
The password should be hashed on the client before being sent to the server instead.