Bcrypt for password hashing because it is slow?

security hash
10,824

Solution 1

Because if it takes more time to hash the value, it also takes a much longer time to brute-force the password.

Keep in mind that slow means that it requires more computing power. The same goes for when a potential hacker tries to brute-force a password.

Solution 2

On your side, the password hash needs to be computed rather rarely. But an attacker who tries to brute force a password from a stolen hash, relies on computing as many hashes as possible.

So, if your login now takes 100 ms instead of 0.1 (probably less) that's not really a problem for you. But it makes a huge difference for an attacker if he needs 2000 days to break a password instead of 2 days.

bcrypt is designed to be slow and not to allow any shortcut.

Solution 3

It takes more effort to brute force attack the password. The slower the algorithm, the less guesses can be made per second. The extra time won't be noticed by a user of the system, but will make it harder to crack the password.

Share:
10,824
astropanic
Author by

astropanic

Take me home to paradise city where the build is green and the code is pretty...

Updated on June 05, 2022

Comments

  • astropanic
    astropanic about 2 years

    I read today on not-implemented.com :

    Sha-256 should be chosen in most cases where a high speed hash function is desired. It is considered secure with no known theoretical vulnerabilities and it has a reasonable digest size of 32 bytes. For things like hashing user password, though, a function designed to be slow is preferred: a great one is bcrypt.

    Can somebody explain the last sentence :

    For things like hashing user password, though, a function designed to be slow is preferred: a great one is bcrypt.

    I don't say it's not correct, my question is simply:

    Why it is preferred for hashing user password to use a slow function ?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to store private encrypted user data in the database, but make them available to other chosen users?
Is the c++ hash function reasonably safe for passwords?
How to Hash String using SHA-1 with key?
How to hash a password with SHA512
bcrypt in python
Why not use MD5 for password hashing?
Can I identify a hash algorithm based on the initial key and output hash?
How insecure is a salted SHA1 compared to a salted SHA512
Enable blowfish-based hash support for crypt
What's the big deal with brute force on hashes like MD5