Upon revisiting these comments, I just wanted to add (for the benefit of anybody who lands here by mistake!): no, authentication systems should NOT be using a hash “like SHA, or MD5”, because these are general-purpose hashing algorithms. Passwords should be hashed using password-hashing algorithms (e.g. bcrypt), which have characteristics better-suited to mitigating brute-force attacks.