How to Do Password Hashing on Claude Code
Claude Code can generate production-ready password hashing code in seconds. Ask it for bcrypt, Argon2, or scrypt implementations in any language and it will output correct, secure defaults. This guide is for backend developers who want to implement password hashing without leaving their terminal. The main trade-off: Claude Code works best when you stay specific about your stack and security requirements. If you hit a usage limit mid-task, a 5-hour lockout can disrupt critical security work.
- Argon2id is the OWASP-recommended default for new applications as of 2024
- bcrypt has a 72-byte password limit; passwords longer than that are silently truncated
- Claude Code can scaffold a full password hashing module, including salting, verification, and upgrade paths, in a single prompt
What is password hashing and why does it matter in Claude Code workflows?
Password hashing is the process of transforming a plaintext password into a fixed-length digest using a one-way function, so that stored credentials cannot be reversed if a database is compromised. Unlike general-purpose hashes like SHA-256, purpose-built algorithms like bcrypt, Argon2, and scrypt are deliberately slow and memory-intensive, making brute-force attacks impractical.
When working in Claude Code, you can generate, audit, and refactor password hashing logic entirely from the command line. Claude Code understands security context, so prompts like "add Argon2id hashing to my user registration endpoint" produce code that includes appropriate work factors, salt generation, and constant-time comparison, not just a bare import statement.
How to prompt Claude Code for password hashing
The quality of generated security code depends heavily on prompt specificity. Here are patterns that consistently produce correct, production-ready output:
Basic bcrypt implementation (Node.js)
Implement password hashing for a Node.js Express app using bcrypt.
Use a work factor of 12. Include a hashPassword(plaintext) function
and a verifyPassword(plaintext, hash) function with constant-time comparison.
Claude Code will use the bcrypt or bcryptjs library, set the salt rounds correctly, and return async functions ready to drop into an auth module.
Argon2id for new applications (Python)
Add Argon2id password hashing to a FastAPI user registration endpoint.
Use the argon2-cffi library. Follow OWASP recommendations for memory cost,
parallelism, and iterations. Include a function to re-hash legacy bcrypt passwords on login.
This prompt gets you a migration path, which is critical when upgrading older systems. Claude Code will generate a helper that detects the legacy hash format and transparently upgrades on successful login.
Auditing existing code
Review this authentication module for insecure password storage. Flag any use
of MD5, SHA-1, unsalted hashes, or incorrect bcrypt work factors. Suggest remediation.
Claude Code is effective for security audits because it can reason about algorithm choice, not just syntax errors. It will flag patterns like hashlib.md5(password) and explain why they are insufficient for credential storage, citing the specific attack vectors.
Choosing the right algorithm: bcrypt vs Argon2 vs scrypt
| Algorithm | OWASP Recommendation | Key Constraint | Best For |
|---|---|---|---|
| Argon2id | First choice (2024) | Requires libargon2 | New applications |
| bcrypt | Acceptable | 72-byte password limit | Existing Node.js / Rails apps |
| scrypt | Acceptable | Parameter tuning is complex | When Argon2 is unavailable |
| PBKDF2-SHA256 | Minimum acceptable | GPU-attackable at low iterations | FIPS-compliant environments |
When you ask Claude Code to implement hashing without specifying an algorithm, it will typically default to bcrypt because of its ubiquity. If you are starting a greenfield project, add "use Argon2id per OWASP 2024 guidelines" to your prompt to get the stronger default. The full recommendations are documented in the OWASP Password Storage Cheat Sheet.
Step-by-step: implementing Argon2id in a Node.js project with Claude Code
- Open your project in Claude Code. Navigate to your project root and run
claudeto start the session. - Describe the context. Tell Claude Code your framework (Express, Fastify, NestJS), your ORM, and any existing auth patterns, so the generated code fits your architecture.
- Request the implementation. Use a specific prompt like: "Add Argon2id hashing to the createUser and login functions in src/auth/service.ts. Use argon2 npm package. Include error handling for hash verification failures."
- Review the output. Check that salt generation is automatic (it should be: Argon2 handles this internally), work factors are not hardcoded as constants that can be easily lowered, and comparison uses the library's built-in verify method rather than a manual string compare.
- Ask for tests. Follow up with: "Write unit tests for the hashing functions using Vitest. Include a test that verifies a tampered hash fails verification."
- Run a final audit. Ask Claude Code to review the full auth module for any remaining plaintext storage, logging of passwords, or timing side-channels.
Common mistakes Claude Code helps you avoid
- Using MD5 or SHA-1 for passwords. These are general-purpose hash functions, not password hashing algorithms. They are too fast and lack salting by default. Claude Code will flag this pattern in audits.
- Storing unsalted hashes. Without a unique salt per user, identical passwords produce identical hashes, enabling rainbow table attacks. All modern password hashing libraries handle salting automatically.
- Truncating long passwords before hashing. bcrypt silently ignores characters beyond 72 bytes. If your users can set long passphrases, either pre-hash with SHA-256 (carefully) or switch to Argon2id.
- Using a work factor that is too low. A bcrypt cost factor below 10 or an Argon2 memory cost below 64MB is often insufficient on modern hardware. Ask Claude Code: "What work factor should I use for bcrypt in 2024 for a web app that handles ~100 logins per second?"
- Comparing hashes with ==. String equality checks are not constant-time and can leak information via timing. Always use the library's built-in verify function.
Using Claude Code's /slash commands for security tasks
Claude Code includes built-in slash commands that accelerate security-focused workflows:
/review- Ask Claude Code to review your auth module for security issues before committing/usage- Check how much of your usage window you have left before starting a long security refactor/clear- Clear context and start a focused session dedicated to the auth module
The /usage command is particularly useful before starting security-critical work. If you are 80% through your usage window, starting a full auth overhaul risks hitting the limit mid-task, which means a 5-hour wait before you can continue. Knowing your remaining capacity lets you scope the work appropriately.
How to monitor Claude Code usage limits during security work
Password hashing implementations often lead to broader auth refactors. What starts as "add bcrypt to the login endpoint" can expand into session management, token rotation, and audit logging. These are exactly the sessions where running out of Claude Code capacity is most disruptive.
You can check your current usage with the /usage command in Claude Code, or by visiting claude.ai/settings/usage. For passive, always-visible monitoring directly from your macOS menu bar, Usagebar shows your remaining capacity without any context switching. It sends smart alerts at 50%, 75%, and 90% so you can plan your session scope before you hit the wall, and it shows exactly when your usage window resets so you know when to resume work.
Usagebar is available on a pay-what-you-want model, with a free option for students. Credentials are stored securely in the macOS Keychain. Get Usagebar for instant download.
Related: How to check Claude Code usage limits, When does Claude Code usage reset, and How to do Stripe payment integration on Claude Code (another security-sensitive workflow).
Key takeaways
- Use Argon2id for new projects; bcrypt is acceptable for existing ones. Avoid MD5, SHA-1, and plain SHA-256 for passwords.
- Prompt Claude Code with your specific stack, framework, and security requirements to get production-ready output, not generic examples.
- Always ask Claude Code to include a verification function and unit tests alongside the hashing implementation.
- Request an audit pass on any existing auth code using a dedicated prompt focused on algorithm choice and timing vulnerabilities.
- Check your usage window before starting broad security refactors. Use
/usagein Claude Code or Usagebar to avoid a mid-task 5-hour lockout.
Sources
Track Your Claude Code Usage
Never hit your usage limits unexpectedly. Usagebar lives in your menu bar and shows your 5-hour and weekly limits at a glance.
Get Usagebar