Firstly, this is about a true story.

Back to the 2018, I was a fresh man at my company and I got a web application projects. This projects are developed since 2016.

It's not old. When I started researching these projects, I'm surprised that it uses the MD5 to hash passwords.

I ask original developers who wrote this code why using this approach to hash password, and I got answer: "Many developers use this in the most of web application projects."

Wait, seriously? I just hope I'm wrong to hear this answer.

Nowadays, we know that the MD5 will be the collision and it's possible to crack the hash result to get the plain texts.

In this talk, I introduce to the password hashing, including password_hash function and sodium function usages.