An authentication token should not be left as it is in the database; that’s common sense. But, applying a heavy hashing algorithm to secure it, also doesn’t make much sense.
Authentication token, if it is created properly (128bits etc), is already very secure by itself. And by its nature, it doesn’t contain any username and password information; it is just a randomly generated string. This is actually the number one benefit why we use auth tokens instead of username and passwords; no need to enter or pass any credentials, only the auth token itself is enough to authenticate the user.
So, for the purpose of securing the auth token with hashing in the database, no need to use a strong, CPU-killer algorithm as the token itself is already secure enough by itself.
- An authentication token is not a hashed credential.
- If an authentication token is created properly, it is very secure by itself.
- Keeping a token in a database as it is, is dangerous. It must be hashed.
- Using a strong hashing algorithm is unnecessary and it consumes a lot of CPU cycles.