Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What's the difference between bcrypt and hashing multiple times?

Tags:

passwords

password-protection

bcrypt

hash

How is bcrypt stronger than, say,

def md5lots(password, salt, rounds):
    if (rounds < 1)
        return password
    else
        newpass = md5(password + salt)
        return md5lots(newpass, salt, rounds-1)

I get the feeling, given its hype, that more intelligent people than me have figured out that bcrypt is better than this. Could someone explain the difference in 'smart layman' terms?

like image 566
Luke has no name Avatar asked Aug 16 '11 00:08

Luke has no name

People also ask

Why is bcrypt hash different every time?

A BCrypt hash includes salt and as a result this algorithm returns different hashes for the same input.

Is bcrypt a one way hash?

Bcrypt uses adaptive hash algorithm to store password which is a one-way hash of the password. BCrypt internally generates a random salt while encoding passwords and store that salt along with the encrypted password. Hence it is obvious to get different encoded results for the same string.

Is bcrypt more secure than sha256?

The technology in the Bcrypt algorithm and process limits attacks and makes it harder for attackers to compromise passwords. Bcrypt was not designed for encrypting large amounts of data. It is best implemented for passwords, however SHA-256 is better for large amounts of data because it is less costly and faster.

Which is the advantages of bcrypt?

The largest benefit of bcrypt is that, over time, the iteration count can be increased to make it slower allowing bcrypt to scale with computing power. We can dimish any benefits attackers may get from faster hardware by increasing the number of iterations to make bcrypt slower.

1 Answers

The principal difference - MD5 and other hash functions designed to verify data have been designed to be fast, and bcrypt() has been designed to be slow.

When you are verifying data, you want the speed, because you want to verify the data as fast as possible.

When you are trying to protect credentials, the speed works against you. An attacker with a copy of a password hash will be able to execute many more brute force attacks because MD5 and SHA1, etc, are cheap to execute.

bcrypt in contrast is deliberately expensive. This matters little when there are one or two tries to authenticate by the genuine user, but is much more costly to brute-force.

like image 184
Adrian Avatar answered Nov 04 '22 16:11

Adrian
Sign in to Comment

Related questions

How to push keys and values into an empty hash w/ Ruby?
Ruby Hash initialization (default value nil)
Probability of hash collision
6 Character Short Hash Algorithm
Ruby: What is the order of keys/values returned by Hash.keys and Hash.values methods?
How to generate HMAC-SHA256 in .Net Core?
How to Generate an MD5 hash in Kotlin? [closed]
two-way keyed encryption/hash algorithm
Bootstrap 3 expand accordion from URL
How to insert hash into hash in Perl
What do I need to do to get Hash.from_xml() to work?
Persistent hashcode for strings [duplicate]
how to create hash within hash
Symfony2 create own encoder for storing password
How should I compute files hash(md5 & SHA1) in C#
How can I join two hashes in Perl without using a loop?
Create hash from array and frequency
Django: Make JS source maps compatible with staticfiles filename hashing
Ways to hash a numeric vector?
SSL authentication by comparing certificate fingerprint?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!