Menu
Can someone point out the differences between the two and example situations where use each?
bcrypt looks great.
370
The takeaway is this: bcrypt is a secure algorithm but remember that it caps passwords at 72 bytes. You can either check if the passwords are the proper size, or opt to switch to argon2, where you'll have to set a password size limit.
@sansappsec Specifically, bcrypt is a specific password hash that's better than multiple rounds of the SHA family, which are fast hashes.
"`bcrypt` was designed for password hashing hence it is a slow algorithm. This is good for password hashing as it reduces the number of passwords by second an attacker could hash when crafting a dictionary attack. "
A lot of your research is correct and still applies in 2021, so it is still secure to use BCrypt (which usually generates its own random salt for each password). Good password hashing algorithms are Argon2, SCrypt and BCrypt, they all offer a cost factor which controls the necessary time.
Use bcrypt where you want to do slow and computationally expensive hashing -- this will generally be for hashes where you really don't want an attacker to be able to reverse the hash, e.g. user passwords. Use native crypto for everything else.
70
In companion with the @mike-scott's answer, you should prefer bcrypt for password related stuff but still you can use crypto for a wide range of tasks like create random tokens or a HMAC checksum or SHA1/MD5 hashes:
var crypto = require('crypto'); // random tokens var buf = crypto.randomBytes(16).toString('hex'); console.log('Random token of %d bytes in hexadecimal: %s', buf.length, buf); var buf = crypto.randomBytes(16).toString('base64'); console.log('Random token of %d bytes in base 64: %s', buf.length, buf); // a hashed message authentication checksum (HMAC) using a shared secret key var string = 'My coffee please'; var key = 'Right away sir'; var encrypted = crypto.createHmac('sha1', key).update(string).digest('hex'); console.log('Encrypting "%s" using passphrase "%s": %s', string, key, encrypted); // a MD5 hash var hashmd5 = crypto.createHash('md5').update(string).digest('hex'); console.log('The MD5 hash of "%s" is %s', string, hashmd5); // a SHA1 hash var hashsha1 = crypto.createHash('sha1').update(string).digest('hex'); console.log('The SHA1 hash of "%s" is %s', string, hashsha1); If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
