[benrutter]

That's still not perfect though!

Most leaked passwords online come initially from leaked hashes, which bad actors use tools like hashcat to crack.

If your user has a password like "password123" and the hash gets out, then the password is effectively out too, since people can easily lookup the hash of previous cracked passwords like "password123".

[csnover]

No. This is why salts[0] are used.

[0] https://en.wikipedia.org/wiki/Salt_(cryptography)

[integralid]

This is how it should be done. But it still doesn't protect users fully, because attacker can try to brute-force passwords their interested in. It requires much more effort though.

[incorrecthorse]

And compute-intensive hash functions. Computers this day are powerful enough to hashcat each individual pwd+salt if a fast hashing function is used.

[Macha]

Salting already fixed this decades ago, and most modern password libraries will automatically generate and verify against a hash like <method>$salt$saltedhash if you use them instead of rolling your own.