Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Bcrypt used for Hashing or Encryption? A bit of confusion

Tags:

I have been reading about bcrypt (application perspective). Thinking of using it to store passwords on my site.

Out of some stuff that I read it suggests either ways:

  • e.g. 1: Bcrypt is a cross platform file encryption utility from bcrypt
  • e.g. 2: bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm. from How To Safely Store A Password
  • bcrypt is an adaptive cryptographic hash function for passwords designed by Niels Provos and David Mazières, based on the Blowfish cipher: from bcrypt wiki

What exactly is Bcrypt?

like image 491
ThinkingMonkey Avatar asked Jan 27 '12 15:01

ThinkingMonkey


People also ask

Is BCrypt encryption or hashing?

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999.

Does BCrypt use encryption?

The problems present in traditional UNIX password hashes led naturally to a new password scheme which we call bcrypt, referring to the Blowfish encryption algorithm. Bcrypt uses a 128-bit salt and encrypts a 192-bit magic value. It takes advantage of the expensive key setup in eksblowfish.

Is BCrypt hashing algorithm?

BCrypt Algorithm is used to hash and salt passwords securely. BCrypt permits building a password security stage that can advance nearby hardware innovation to guard against dangers or threats in the long run, like attackers having the computing power to guess passwords twice as quickly.

What is BCrypt used for?

bcrypt allows building a password security platform that can evolve alongside hardware technology to guard against the threats that the future may bring, such as attackers having the computing power to crack passwords twice as fast.


2 Answers

It is both :)

Most of the time when people mention BCrypt, they are talking about the adaptive hash algorithm, but it is also the name of an unrelated file encryption utility.

Both are based on the Blowfish cipher.

like image 106
PaulG Avatar answered Oct 27 '22 01:10

PaulG


Bcrypt encryption software uses the Blowfish algorithm designed by Bruce Schneier in 1993. [1]

The bcrypt hash function is just that, a hash function. It does not perform encryption, it hashes. It's based on the Blowfish cipher, and is considered a good thing because you can make it slower over time.

From Wikipedia:

This is not cryptographically significantly stronger than the standard Blowfish key schedule, but the number of rekeying rounds is configurable; the hashing process can therefore be made arbitrarily slow, which helps deter brute-force attacks upon the hash or salt.

In regards to storing passwords on your site, you should be encrypting passwords before you hash them.

Only after you encrypt them with some encryption algorithm (e.g. Blowfish, Rijndael / AES) should you use bcrypt to hash the ciphered passwords, and store the password hashes.

For more details on implementing password security, see the top answer to this question.

like image 45
Rob Avatar answered Oct 27 '22 00:10

Rob