🔐How Password Hashing Works

When you create an account on Hugo, your password is never stored in plain text — not even in encrypted form. Instead, it's transformed into an irreversible hash using bcrypt, a password-specific hashing algorithm designed to be slow and resistant to brute-force attacks.[1]

What is Hashing?

Hashing is a one-way mathematical function that converts any input into a fixed-length string of characters. Unlike encryption (which can be reversed with a key), hashing cannot be reversed — there's no way to recover the original password from the hash.[1]

password: "mySecurePass123"
hash:     "$2b$12$LJ3m4kQ8rF1vG5nX7hY9B.8Kx2wP5mN3qT6uR9jS4cA1dE7fH0iJ"

Why Bcrypt?

Hugo uses bcrypt specifically because it was designed for password hashing with these security properties:[2]

• Adaptive cost factor — The difficulty can be increased as computers get faster (Hugo uses cost factor 12, meaning 2¹² = 4,096 rounds of processing).[2]
• Built-in salt — Each password hash includes a random salt, ensuring identical passwords produce different hashes.[2]
• Intentionally slow — While SHA-256 can hash billions of passwords per second, bcrypt takes ~100ms per hash, making brute-force attacks impractical.[1]
• Time-tested — Bcrypt has been used in production systems since 1999 with no practical attacks found.[2]

What is Salting?

A salt is a random value added to the password before hashing.[1] Without salting, two users with the same password would have identical hashes — an attacker could use precomputed lookup tables (rainbow tables) to crack them instantly. With salting, even identical passwords produce unique hashes.

Login Verification

When you log in, Hugo takes the password you entered, hashes it with the same salt stored in your account's hash, and compares the result. If the hashes match, you're authenticated. At no point is your actual password compared or stored.