Why you should use BCrypt to hash passwords
In the online world, passwords play a critical role in keeping your data and other important information safe. For this reason, ensuring your passwords remain secure is critical. If not, the consequences can be catastrophic — think the Sony hacks of 2011.
Hashed password solutions fall short
Many password solutions simply are not good enough and put your data and resources at risk. Let’s take a look at a few examples.
Plain text passwords
As its name infers, a plain text password makes use of only letters. Should a hacker gain access to passwords such as these, they can easily pose as a user on your system. Often, plain text passwords are replicated across other logins as well, as users don’t want to have to remember multiple passwords for different sites or applications. Guess what? That just gives a hacker access to those applications as well.
One way hash
With a one-way hash password, a server does not store plain text passwords to authenticate a user. Here, a password has a hashing algorithm applied to it to make it more secure. While in theory, this is a far better password solution, hackers have found ways around this system as the algorithm used is not exactly a one-way option at all. In fact, hackers can just continue to guess passwords until they gain access to your resources.
‘Salting’ the password
One could consider ‘salting’ a password before it is hashed. What does this mean? Well, a ‘salt’ adds a very long string of bytes to the password. So even though a hacker might gain access to one-way hashed passwords, they should not be able to guess the ‘salt’ string. In theory, this is a great way to secure your data, but if a hacker has access to your source code, they will easily be able to find the ‘salt’ string for passwords.
Random ‘salt’ for each user
As an alternative, a random ‘salt’ string could be added for each user, created on the generation of the user account. This will increase encryption significantly as hackers will have to try to find a password for a single user at a time. Again, even though it means they will have to spend more time cracking the passwords for multiple users, they will still be able to gain access to your resources. It just takes longer.
The BCrypt Solution
So, is there a solution for proper password encryption? Something that will protect your valuable data and resources no matter what? Yes, there is! It comes in the form of the BCrypt hashing function — designed by Niels Provos and David Mazières in 1999.
BCrypt is based on the Blowfish block cipher cryptomatic algorithm and takes the form of an adaptive hash function. But why should you use it to protect your data and resources? To explain, we’re going to need to get a little technical…
Using a Key Factor, BCrypt is able to adjust the cost of hashing. With Key Factor changes, the hash output can be influenced. In this way, BCrypt remains extremely resistant to hacks, especially a type of password cracking called rainbow table.
This Key Factor will continue to be a key feature as computers become more powerful in the future. Why? Well, because it compensates for these powerful computers and slows down hashing speed significantly. Ultimately slowing down the cracking process until it’s no longer a viable strategy.
If you have sensitive data or information that you need to be protected, ensuring it is secured correctly is vital. As we have seen, there are many ways to secure this information through various password methods, but only BCrypt offers a truly robust solution
For more details: Salted Password Hashing
For more details: Salted Password Hashing
Comments
Post a Comment