25

I have been reading about bcrypt (application perspective). Thinking of using it to store passwords on my site.

Out of some stuff that I read it suggests either ways:

  • e.g. 1: Bcrypt is a cross platform file encryption utility from bcrypt
  • e.g. 2: bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm. from How To Safely Store A Password
  • bcrypt is an adaptive cryptographic hash function for passwords designed by Niels Provos and David Mazières, based on the Blowfish cipher: from bcrypt wiki

What exactly is Bcrypt?

samayo
  • 16,163
  • 12
  • 91
  • 106
ThinkingMonkey
  • 12,539
  • 13
  • 57
  • 81
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Cryptography Stack Exchange](http://crypto.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Feb 25 '17 at 21:54
  • 1
    @jww after 5 year this question not marked as off-topic. – Naveen DA Jul 27 '17 at 10:05

3 Answers3

26

It is both :)

Most of the time when people mention BCrypt, they are talking about the adaptive hash algorithm, but it is also the name of an unrelated file encryption utility.

Both are based on the Blowfish cipher.

PaulG
  • 13,871
  • 9
  • 56
  • 78
10

Bcrypt encryption software uses the Blowfish algorithm designed by Bruce Schneier in 1993. [1]

The bcrypt hash function is just that, a hash function. It does not perform encryption, it hashes. It's based on the Blowfish cipher, and is considered a good thing because you can make it slower over time.

From Wikipedia:

This is not cryptographically significantly stronger than the standard Blowfish key schedule, but the number of rekeying rounds is configurable; the hashing process can therefore be made arbitrarily slow, which helps deter brute-force attacks upon the hash or salt.

In regards to storing passwords on your site, you should be encrypting passwords before you hash them.

Only after you encrypt them with some encryption algorithm (e.g. Blowfish, Rijndael / AES) should you use bcrypt to hash the ciphered passwords, and store the password hashes.

For more details on implementing password security, see the top answer to this question.

Community
  • 1
  • 1
Rob
  • 5,223
  • 5
  • 41
  • 62
  • 2
    His name is 'Schneier', not 'Schneider'. – Martin Ellis Jan 27 '12 at 16:06
  • 11
    To nitpick :) you don't need to encrypt before hashing. – PaulG Jan 27 '12 at 16:08
  • 1
    @PaulG it does add an extra level of security if you encrypt as well, and is considered good practice, as long as you store the secret key on a different server or if this is too expensive, in a text file on the remote server's local file system. – Charles Robertson Oct 24 '15 at 22:34
  • 1
    @PaulG This link explains best practices for salt hash and encrypting salt hash using a secret key. BCrypt is just a more convenient way to salt hash because the salt does not require DB storage: https://crackstation.net/hashing-security.htm – Charles Robertson Oct 24 '15 at 22:43
  • 2
    @CharlesRobertson - why would encrypting a password before hashing it make it more secure? To make it computationally more expensive? Bcrypt is already tuneable in that regard. It would make the value to be hashed longer, but using a longer salt would achieve the same thing. I did read your link, and it doesn't mention this process as far as I could see. – Ben Hull Dec 15 '16 at 06:13
  • It's a myth that obscurity cannot create a more secure situation. Ask any administrator that has put a service on a non-standard port. 99.9% of attackers can't be bothered to check other ports because it takes too much time. – Robert Talada Aug 06 '20 at 13:19
3

bcrypt is a key derivation function for passwords

Also difference between hashing(used by bcrypt) and encryption in simple words will be -

1) encrypted data can be decrypted via private key. 2) Hashing is one way that is if you hash the plain text its irreversible, hence more secure. The only way to ensure is rehash the plain text and compare it with previously hashed data for equality.

kamal
  • 996
  • 15
  • 25