### **What is a Password Hash?**
A **password hash** is a **one-way encrypted representation** of a password. Instead of storing plain-text passwords in a database (which is a major security risk), systems store a **hashed version** of the password.

### **Why Hash Passwords?**
- **Security**: If hackers access the database, they cannot see the actual passwords.
- **One-way Encryption**: Hashing is **irreversible**—you cannot "decrypt" a hash to get the original password.
- **Authentication**: When a user logs in, the system hashes the input password and compares it to the stored hash.

---

### **How Does Django Hash Passwords?**
Django automatically hashes passwords using the **PBKDF2 algorithm** (by default) when you use `create_user()` or `set_password()`. 

#### **Example in Django:**
```python
from django.contrib.auth.models import User

# Incorrect way (storing password as plain text)
user = User.objects.create(username="john", password="mypassword")  # ❌ Insecure!

# Correct way (password is hashed automatically)
user = User.objects.create_user(username="john", password="mypassword")  # ✅ Secure!
```

---

### **Checking a Hashed Password**
Django does not store the actual password but a **hashed version** in the database.

#### **Example:**
```python
from django.contrib.auth.hashers import make_password, check_password

# Hashing a password
hashed_password = make_password("mypassword")
print(hashed_password)
# Output: pbkdf2_sha256$260000$...

# Checking if a password matches the hash
print(check_password("mypassword", hashed_password))  # True
print(check_password("wrongpassword", hashed_password))  # False
```

---

### **How Django Stores Hashed Passwords**
When a password is hashed, it is stored like this:
```
pbkdf2_sha256$260000$randomsalt$hashedvalue
```
- `pbkdf2_sha256`: The hashing algorithm.
- `260000`: The number of iterations for added security.
- `randomsalt`: A unique salt to make each hash different.
- `hashedvalue`: The actual hashed password.

---

### **Key Takeaways**
✔ **Never store plain-text passwords.**  
✔ Always use `create_user()` or `set_password()` in Django.  
✔ Hashing ensures security even if the database is leaked.  

Would you like me to show how to update passwords securely in Django? 🚀