bcrypt is an adaptive password hashing function based on the Blowfish cipher. Unlike fast general-purpose hash functions like SHA-256, bcrypt is intentionally slow, making it resistant to brute-force and dictionary attacks. It incorporates a configurable work factor that can be increased over time as hardware becomes more powerful, ensuring the function remains secure as computing capabilities advance.
How It Works
When a user creates or changes their password, bcrypt takes the plaintext password and a randomly generated salt as inputs, then produces a fixed-length hash. The salt is a random value unique to each password, ensuring that identical passwords produce different hashes. This prevents attackers from using precomputed rainbow tables to reverse the hashes.
The work factor, also called the cost factor, determines how many iterations of the underlying algorithm are performed. A work factor of 10 means 2^10 (1,024) iterations, while a factor of 12 means 4,096 iterations. Each increment doubles the computation time. This tunable difficulty is bcrypt's key feature: as processors become faster, administrators can increase the work factor to maintain the same level of resistance against brute-force attacks.
During authentication, the application retrieves the stored hash (which includes the salt and work factor), applies the same bcrypt operation to the submitted password, and compares the results. If they match, the password is correct. The salt is stored as part of the hash output, so no separate salt storage is needed.
Why It Matters
Proper password storage is a critical security requirement. When databases are breached, the difference between passwords hashed with bcrypt and those stored with fast algorithms like MD5 or SHA-1 is enormous. Fast hashes can be cracked at billions of attempts per second, while bcrypt limits attackers to a few thousand attempts per second at most. Security assessments evaluate password storage mechanisms because weak hashing directly enables mass account compromise following a data breach.
Need your application tested? Get in touch.