javascript – How encrypting website data works

As user amon said in comments, HTTPS is the standard way to encrypt passwords (and everything else) in transit between the browser and the server. There’s only very rarely a good reason to use anything else there.

But for passwords that’s not quite enough. You should also be concerned about the security of password information stored at rest in your database.

For the standard case of a user passwords to allow logging in to a website you want hashing, not encryption. This is because there’s normally no need for anyone to ever read the password out of the database – all you need to be able to do is check that the password someone types when they try to log in matches the password set for that account.

Choose a purpose made password hashing algorithm that has been widely studied and recommended by information security experts over the last few years. As of 2021, such algorithms include Argon2 and bcrypt, but not SHA or MD5. The use of password hashing algorithms should mean that even if an attacker manages to get hold of all the information your system has they shouldn’t easily be able to crack many user’s passwords.