2

I'm looking into hash and salting passwords using bcrypt in PHP. Can someone explain to me why brcypt's use of "work" / "rounds" prevents attacks?

I've already read "How do you use bcrypt for hashing passwords in PHP?", but I'm having a hard time understanding what makes it so special if someone got a hold of your database and could crack it offline?

Would it be potentially up to the salt and hash together to protect the database against rainbow tables? Or does bcrypt do something special to help prevent attacks like this?

Community
  • 1
  • 1
Lil' Bits
  • 898
  • 2
  • 9
  • 24

2 Answers2

4

Simply put bcrypt is "better" than some other hash algorithms like the sha family because it's purposely slow and can be made purposely slower by using a high iteration count. Futhermore, it requires the use of a salt which protects against the use of pre-caclulated hash values (rainbow tables). The salt value should be generated/stored together with each output of bcrypt to disallow comparisions between values of different users (in case they use the same password).

Even if an attacker gets your password hashes and salts, as long as your use of bcrypt is using a high number of iterations, it won't be possible to quickly find the matching password. It is a one way function so you would need to perform the bcrypt calculations once for each password that is tried. This is of course little protection against bad passwords.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
  • I made some important changes to this answer: the algorithm is known/static. The used hardware does not change the outcome of bcrypt. bcrypt only relies on the iteration count for speed; bcrypt calculations are likely to be much faster on specialized hardware/software platforms. Please bare in mind that although the gist of the answer was correct, the more detailed information certainly was not. – Maarten Bodewes Jun 24 '12 at 13:44
1

In a nutshell, bcrypt and other password stretching algorithms are all about work amplification. An attacker has to do a lot more work to crack a password than you have to (since you typically only get valid login requests or mistaken passwords, at a much lower rate); thus, every millisecond you add to password hashing time your attacker has to pay a million or a billion times over. Bcrypt and other algorithms simply slow things down deliberately, making your attacker spend a lot more time trying to crack passwords.

Nick Johnson
  • 100,655
  • 16
  • 128
  • 198