Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Bcrypt for password hashing because it is slow?

Tags:

security

hash

I read today on not-implemented.com :

Sha-256 should be chosen in most cases where a high speed hash function is desired. It is considered secure with no known theoretical vulnerabilities and it has a reasonable digest size of 32 bytes. For things like hashing user password, though, a function designed to be slow is preferred: a great one is bcrypt.

Can somebody explain the last sentence :

For things like hashing user password, though, a function designed to be slow is preferred: a great one is bcrypt.

I don't say it's not correct, my question is simply:

Why it is preferred for hashing user password to use a slow function ?

like image 613
astropanic Avatar asked Apr 02 '13 11:04

astropanic


People also ask

Why is bcrypt hard to crack?

bcrypt is a very hard to crack hashing type, because of the design of this slow hash type that makes it memory hard and GPU-unfriendly (especially with high cost factors).

Why is bcrypt hash different every time?

A BCrypt hash includes salt and as a result this algorithm returns different hashes for the same input.

Is bcrypt safe for passwords?

The takeaway is this: bcrypt is a secure algorithm but remember that it caps passwords at 72 bytes. You can either check if the passwords are the proper size, or opt to switch to argon2, where you'll have to set a password size limit.

How long does it take to crack a bcrypt hash?

Hashing types make the most difference here, with bcrypt encrypted passwords requiring over 22 years to crack, according to our testing.


1 Answers

Because if it takes more time to hash the value, it also takes a much longer time to brute-force the password.

Keep in mind that slow means that it requires more computing power. The same goes for when a potential hacker tries to brute-force a password.

like image 178
eandersson Avatar answered Sep 17 '22 15:09

eandersson