LLMpediaThe first transparent, open encyclopedia generated by LLMs

bcrypt

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Base64 Hop 4
Expansion Funnel Raw 72 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted72
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
bcrypt
Namebcrypt
DeveloperNiels Provos, David Mazieres
Introduced1999
Derived fromBlowfish (cipher)
Typekey_derivation_function

bcrypt is a password hashing function designed to be computationally expensive and adaptive to hardware improvements. It was created to slow brute-force attacks by combining a tunable work factor with the Blowfish (cipher) keying schedule and incorporating a per-password salt to thwart precomputed attacks like Rainbow table. The algorithm has been adopted in many Unix-like systems, OpenBSD projects, and contemporary web application frameworks.

History

bcrypt was published in 1999 by Niels Provos and David Mazieres while both were involved with University of Michigan and later contributors to OpenBSD. The design responded to weaknesses exposed by events such as the proliferation of fast MD5-based password dumps and the rise of distributed cracking efforts like those leveraging Distributed.net. Early adoptions included OpenBSD's password hashing changes and subsequent ports into FreeBSD, NetBSD, and Linux distributions. Over time, bcrypt influenced later designs such as scrypt and Argon2, which were motivated by advances in commodity GPU and ASIC acceleration seen in projects like Hashcat and research from institutions like University of California, San Diego.

Design and Algorithm

bcrypt builds on the keying schedule of Blowfish (cipher) to create an iterated, salted key derivation function. The algorithm accepts a cost parameter (exponential work factor) that controls the number of key expansion iterations; increasing the cost mirrors strategies used in PBKDF2 and protects against Moore's Law improvements observed by organizations like Intel and NVIDIA. Inputs include a 128-bit salt and a password; outputs are a 192-bit hash usually represented in modular crypt format used by crypt(3). The core uses an expensive "EksBlowfish" setup that alternates key expansion with salt mixing, akin to the repeated hashing concepts advocated in Whitfield Diffie and Martin Hellman's earlier cryptographic work. The design intentionally favors CPU-bound work rather than memory-hard constructs promoted by later proposals from Colin Percival.

Security and Cryptanalysis

bcrypt's security relies on its adaptive cost and salt to resist brute-force and precomputation attacks such as those illustrated by Morris Worm era password dumps. Practical assessments by cryptographers from institutions like MIT, Stanford University, and University College London show bcrypt remains robust against conventional CPU and GPU cracking when cost is appropriately tuned, but its lack of memory hardness makes it more vulnerable to specialized hardware like FPGA and ASIC clusters used in projects by companies such as Google and Amazon Web Services for password cracking experiments. Research publications appearing in conferences like USENIX Security Symposium, ACM CCS, and IEEE S&P have analyzed trade-offs between cost parameters and attack cost models. Known limitations include bcrypt's maximum password length handling compared to standards from IETF and interaction considerations with Unicode normalization practices endorsed by entities like Unicode Consortium.

Implementations and Libraries

bcrypt has been implemented across many languages and platforms: native support in OpenBSD's libc and utilities; C libraries used by FreeBSD and NetBSD; ports into glibc wrappers; and bindings for ecosystems such as Python (programming language), Ruby (programming language), Node.js, Java (programming language), Go (programming language), and C#. Popular libraries include those maintained by projects like Django for Python (programming language), Rails for Ruby (programming language), and modules used in Express (web framework) for Node.js. Commercial authentication providers such as Okta, Auth0, and Microsoft Azure Active Directory document bcrypt as an available option in legacy migration paths. Security audits by firms like NCC Group and Cure53 often evaluate bcrypt implementations alongside alternatives like Argon2.

Usage and Best Practices

Use bcrypt with a unique, cryptographically-random salt per password as recommended by NIST guidelines and set the cost parameter so that hashing takes a fraction of a second on current deployment hardware; reevaluate cost following hardware upgrades from vendors like Intel or AMD. Combine bcrypt with account protections from services such as Cloudflare or Akamai rate limiting and monitoring offered by Splunk or Elastic for logging suspicious authentication attempts. For password handling, follow operational practices from OWASP and legal frameworks like the General Data Protection Regulation when storing hashes and executing breach responses. When migrating from legacy schemes like MD5 or SHA-1-based hashes, implement seamless rehash-on-login strategies used by Django and Rails ecosystems.

Performance and Benchmarks

Benchmarking bcrypt involves measuring hash throughput on representative hardware: commodity servers with Intel Xeon or AMD EPYC CPUs, virtual machines on Amazon Web Services or Google Cloud Platform, and edge devices like Raspberry Pi. Performance scales exponentially with cost: each increment doubles the number of EksBlowfish iterations, which is documented in implementations distributed with OpenBSD. Comparative benchmarks published in USENIX papers and by projects like Phoronix show bcrypt outperforms memory-hard functions like scrypt and Argon2 in memory usage but often lags in resistance to GPU/ASIC acceleration. Real-world guidance from NIST and OWASP suggests choosing cost such that login latency remains acceptable while maximizing attacker cost, and rerunning benchmarks after platform changes from suppliers like Amazon or Microsoft.

Category:Cryptographic functions