Bcrypt: An Overview

What is Bcrypt? Why is it a popular way to keep passwords secure? Today we will answer these questions and gain a deeper understanding of Bcrypt.

Bcrypt is a hashing algorithm based on the Blowfish Cypher. It takes in a plain text password as an input and returns a hash of that password (along with some other stuff we’ll get to later) as a string for the output. Is this encryption? No. Encryption is a two-way function, meaning something can be decrypted with the key. So if an attacker has the right key, they can use it to find out the plaintext password that was originally encrypted. Hashing, on the other hand, is a one-way function, so even if someone has the key, they are not able to reverse the function to retrieve the plaintext password. This forces an attacker to use brute force attacks and guess at the password.

Having a hashed password is one step complete on the way to storing passwords securely. However, we are still open to brute force attacks. To protect against this, Bcrypt adds a computational cost each time it runs. This slows down the process and prevents attackers from trying hundreds of thousands of passwords a second. As computers get faster, Bcrypt can make the cost larger in order to protect from brute force attacks over time.

Now we have a hashed password and a slow algorithm, but there is still on more step to store passwords securely. That is the salt. Salt adds a random chunk of text to the password to be encoded which protects from rainbow table attacks. This ensures that even two users with the same password would have different hashes stored in the database.

There! We now know some of the basics on the process Bcrypt uses to keep passwords secure. It is one way, it is computationally costly, and it adds some random salt to each password before hashing.