1

Other than just hashing the password like that:

password_hash($password, PASSWORD_BCRYPT);

What is the recommended rounds of iteration for bcrypt? I know for certain that four rounds of blowfish are susceptible to a second-order differential attack but the server utilizing the process of hashing would probably be fine with a lot bigger cost in most cases. 14 rounds can be distinguished from a pseudorandom permutation so that's ruled out as well.

Is 16 the highest possible cost? Also how is the salt being generated (if omitted)?

schmitsz
  • 175
  • 1
  • 13
  • there's no way to recommend anything. it all depends on your threat assessment. if the NSA is after you, then 500 kajillion rounds probably wouldn't be enough. if it's little timmy with a cereal box decoder ring, then skip bcrypt and "encrypt" with base64 or something. – Marc B Mar 18 '15 at 20:55
  • Could you please re-read the title? – schmitsz Mar 18 '15 at 20:57

1 Answers1

2

In case of BCrypt you do not specify the number of rounds, instead you define a cost factor. The cost factor will be raised to the power of 2, that means, increasing the cost factor by 1, will double the computing time.

$numberofRounds = 2 ^ $costFactor

The default value is currently 10, the highest possible value is currently 31. To determine the cost factor you should go the other way round, measure the time your server needs for different cost factors. Then you can decide what cost factor is bearable for your server.

There is a small example script in the PHP documentation, which helps finding an appropriate cost factor.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • What about the salt? How is it being generated if omitted as a parameter? – schmitsz Mar 18 '15 at 21:21
  • @schmitsz - It is best to omit this parameter, the function will then generate a cryptographically safe salt from the random source of the operating system. – martinstoeckli Mar 18 '15 at 21:23
  • I think you misunderstood my question. I'm not asking what is better but how the salting is done when the parameter is not specified. – schmitsz Mar 18 '15 at 21:29
  • @schmitsz - As i said, the function generates a safe random salt and uses it to generate the hash. Maybe you want to know how the salt is stored? The salt will become part of the hash-value, have a look at this [answer](http://stackoverflow.com/a/25403833/575765) for a detailed explanation about the format. – martinstoeckli Mar 18 '15 at 21:34
  • No. I want to know how the generation is being performed by the function itself. Also I disagree with the scheme presented in that answer. **2y** is a signature for BCrypt, not "hash-algorithm". – schmitsz Mar 18 '15 at 21:37
  • @schmitsz - Well name it as you want, it is a signature for the fixed implementation (UTF-8 bug) of the hash-algorithm BCrypt. You would have to look at PHP's source code, but at least in the [compatibility pack](https://github.com/ircmaxell/password_compat/blob/master/lib/password.php) they are using the function `mcrypt_create_iv()` with fallbacks to other functions. After getting the random bytes, they are base64 encoded and some characters are exchanged, to comply with BCrypts alphabet of allowed characters. – martinstoeckli Mar 18 '15 at 21:55
  • Okay, thanks for clearing it up. Accepting the answer. – schmitsz Mar 18 '15 at 21:56