Back to all posts

What is Bcrypt?

By on Jul 29, 2024

Tags:

Bcrypt is a cryptographic hash function designed for password hashing and safe storing in the backend of applications in a way that is less suspectable to dictionary-based cyberattacks. It was created in 1999 by Niels Provos and David Mazieres, using the Blowfish cipher algorithms as its base

It uses a one-way hash function, meaning that once the password is hashed, it cannot be reversed to its original form. Every time the user logs into their account, bcrypt hashes their password anew and compares the new hash value to the version stored in the system’s memory to check if the passwords match.

How Bcrypt Works:

  • Salting: Before hashing, a random string called a salt is added to the password. This makes it significantly harder for attackers to use precomputed hashes (rainbow tables) to crack passwords.  
  • Key Stretching: Bcrypt employs a technique called key stretching. This involves repeatedly applying a cryptographic function to the password and salt combination, making it computationally expensive to calculate the hash. This slowness is intentional and helps deter brute-force attacks.  
  • Adaptive Complexity: Bcrypt is designed to adapt to increasing computing power. Over time, the number of iterations (times the hash function is applied) can be increased, making it even more difficult for attackers to crack passwords.  
import bcrypt

password = b"mypassword"
salt = bcrypt.gensalt()
hashed_password = bcrypt.hashpw(password, salt)

Key Benefits of Bcrypt:

  • Security: It’s resistant to various attack methods, including brute-force, dictionary, and rainbow table attacks.  
  • Adaptability: Bcrypt can adjust to evolving computing power, ensuring long-term security.  
  • Simplicity: It’s relatively easy to implement and use.  
  • Widely adopted: Many systems and applications rely on bcrypt for password storage.

In essence, bcrypt transforms a human-readable password into an almost irreversible, unique hash value. This hash is then stored, and when a user attempts to log in, their provided password is hashed and compared to the stored hash. If they match, the password is verified.