or make sure even if the data is leaked, it's useless.

There is reason we don't store raw plain password in database, even if we know data in database should not be leaked.