Password hashing with Argon2

Bcrypt is fine, but Argon2 is the modern default with better resistance to GPU attacks. I store the full hash string (it includes parameters + salt) and keep verification in one utility so the rest of the app doesn’t grow its own auth helpers. The important thing is not inventing your own scheme: use a library, keep parameters explicit, and never log passwords or hashes. I also treat hashing as one layer—pair it with rate limiting on login and MFA for sensitive accounts. When auth bugs happen, it’s rarely the hash algorithm; it’s the surrounding workflow (reset tokens, session fixation, account enumeration). Still, getting hashing right is table stakes.