Which storage approach best matches NIST digital identity guidance for passwords?

Storing passwords as salted hashes using a password hashing function with a cost factor matches NIST guidance because it protects passwords even if the system’s database is breached. The salt ensures every password hash is unique, which defeats precomputed rainbow tables. The cost factor (or iterations) makes each guess computationally expensive, slowing down offline attacks so attackers can’t quickly try millions of guesses. Modern NIST recommendations favor strong password hashing algorithms such as Argon2id, bcrypt, scrypt, or PBKDF2 with a high cost factor, and the salt stored with the hash so verification can occur without revealing the original password. The other options aren’t about how to securely store password secrets: a Certificate Authority relates to public-key infrastructure, a password manager vault is a user-side tool for storing passwords, and a physical badge is a hardware token for authentication.