...
Assuming your database server is properly secured, access to the database is strictly enforced, and all software running on or connecting to the database is completely bug free, encryption is unnecessary. Unfortunately, reality dictates that this is impossible to achieve. So to ensure that in the event unauthorized access to the data is obtainobtained, no matter how unlikely, it becomes necessary to encrypt that data to ensure it remains protected.
...
A key-based hashing algorithm, also known as hash-based message authentication is a means of creating a message digest of a fixed-length from an arbitrary-length plain-text using a one-way algorithm. That is, once the message digest is computed the plain-text is impossible to decipher. Hashes are not a format form of encryption, but are often used in places where decrypting the plain-text is unnecessary. For example, in validating a given password is correct.
...
Before a password is hashed using bcrypt, however, it is hashed using HMAC SHA-256. The HMAC SHA-256 process produces a 256-bit (64-hexadecimal character) string, which is then hashed using bcrypt. This extra step provides additional security for short passwordpasswords, extremely long passwords (see denial of service), and dictionary attacks.
...