docs: insecure example

[elithrar]

The current Quick Start guide shows an example where a password is hashed using SHA-256 - https://threads.js.org/getting-started

This is not a secure example, and may lead readers without a meter for secure code to copy-paste the example.

• SHA-256 is a fast cryptographic hash, and not a key derivation function (like bcrypt or scrypt)
• This means it is NOT suited to "hashing" passwords

I would suggest using another example entirely that doesn't rely on password hashing, but if you must use it, use the PBKDF2 algorithm from SubtleCrypto to derive a key from the user input, with sufficient rounds.

[andywer]

Hey @elithrar, thanks for pointing out!

This is a good point indeed. Maybe let's just drop the password context and use it as a generic hashing worker instead? I am not attached to the use case, I just needed something tangible as a sample back in the day and somehow ended up with this unfortunate example.

[elithrar]

OK, great!

Let me PR a revised example tonight / tomorrow that aligns with that and removes "password" from the terminology.

[andywer]

Very much appreciated!