Core premise:
- We don’t want to store passwords in plaintext. Not secure!
- Instead, we can store the result of a cryptographic hash function.
h(password + salt) = hash- Salt is not secret. Hash function also not secret.
- To validate login information, we compare the application-generated hash and the hash stored in the database.