You are 100% correct when you state:
I thought I should keep in my DB only the hashes, not the passwords themselves.
Following on from our online chat, where we clarified the issue you were querying, the general process is as follows:
- During the process of creating (or altering) a password, the password - in plain text - comes into the system in plain text.
- It is then hashed in-memory.
- This hash value is then saved in the database.
Later on ...
- When a user wishes to be authenticated, they enter their password.
- This password comes into the system in plain text.
- It is then hashed in-memory.
- This hash value is then compared with the previous hash saved in the password.
The important thing to note is that, for a given hash algorithm, two identical strings will always hash to identical values, so this comparison is safe.
It is standard to allow the password to be in plain text when still in memory. It is in theory possible to encrypt it before it reaches the server (for example, it would not surprise me if there exist SHA-512 procedures written in JavaScript to hash passwords before they are submitted), but that generally is above and beyond even the most complex security requirements.