Interview › Security & DevSecOps
Why do you hash and salt passwords rather than encrypt them? [Advanced]
Answer
Passwords are hashed and salted rather than encrypted because applications should not need to recover the original password. A salt makes identical passwords produce different hashes and slows precomputed/rainbow-table attacks; adaptive hashing slows brute-force attempts.
Technical explanation
If encrypted passwords are stolen along with the key, attackers can recover every password.
A unique salt per password prevents attackers from attacking many identical hashes at once.
Use password-hashing algorithms designed to be slow and tunable, not fast general-purpose hashes alone.
Hands-on example
Hands-on: when a user registers, generate a random salt and store bcrypt/Argon2id hash plus parameters. On login, hash the submitted password with the stored parameters and compare using constant-time comparison. Never log or decrypt passwords.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]