IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [bcrypt]

BCrypt is an adaptive cryptographic hash function for passwords. It incorporate a salt to protect against rainbow table attacks and is also an adaptive hash - over time it can be made slower and slower so it remains resistant to specific brute-force search attacks against the hash and the salt.

217 questions
9
votes
3 answers

Hashing Password on Client Side to avoid lag on single-core game server?

I am currently implementing a simple login system. I would like to securely store all the user passwords in my database. The passwords are the most important components. All the other user data is not important. If an account gets hacked, as long as…
user136620
9
votes
3 answers

Client-side BCrypt, store salt and hash separately in MySQL database

I’m developing an Android app with a MySQL database for storing user login credentials. I’m using jBCrypt for hashing passwords before storing them in the database. On registration, the password is hashed on client-side as follows: String salt =…
yberg
  • 93
  • 1
  • 6
9
votes
1 answer

Would it make sense to use Bcrypt and PBKDF2 together?

I've read various opinions about whether Bcrypt or PDBKF2 is a better key derivation hashing method. The answer seems to depend on a lot of complicated factors that are not easy to analyze. Would using both of them (presumably in a serial way one…
Dan
  • 105
  • 4
8
votes
3 answers

Safety of Password Hashing Using bcrypt Done on Client Side

I am currently using a technique where I send the username/password in cleartext (using https) to the server, which then does bcrypt and compares to the db. Standard practice. It is considered safe. Would sending bcrypt hash to the server for…
code ninja
  • 213
  • 2
  • 7
8
votes
6 answers

Is there a table that compares hashing algorithms by speed, relatively (machine independent)

As far as I understood*, one of the major criteria when choosing a password / salt hashing algorithm is it's speed. To prevent brute force attacks, a slower algorithm is better (and also makes it more impractical to generate rainbow tables) Assuming…
Eran Medan
  • 811
  • 1
  • 10
  • 19
8
votes
2 answers

Why is the BCrypt text "OrpheanBeholderScryDoubt"

I'm looking for a reference about the weird initial BCrypt text "OrpheanBeholderScryDoubt" Why was this string used? Would using 192 zeros or ones not have worked well in practice for some reason? Was that just four random dictionary words…
wim
  • 623
  • 1
  • 5
  • 18
8
votes
3 answers

Is it secure to use bcrypt-generated salt in cookie to serve as token in place of a password?

I have a (hobby) web site that runs only on SSL. The site does not deal with finances, social security numbers, or anything of that level of importance. However, I'd like to secure it as much as reasonably possible. Cookies are marked secure and…
RPW
  • 93
  • 1
  • 4
8
votes
2 answers

Production ready bcrypt implementation for .NET

Which, if any, .NET / C# bcrypt implementations are considered suitable for production environments? I have seen CryptSharp and BCrypt.Net mentioned in answers to other questions but without any discussion of how widely they are used or how much…
broccoli_soup
  • 395
  • 4
  • 8
8
votes
2 answers

How to store the access token / password reset token in the database?

I have an access code that is sent to users so that they can access the site in one-click. From terms of access it's very similar to the password reset url, so I assume the same assumptions apply. E.g. in this question people suggest to hash this…
Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
8
votes
2 answers

Incrementing Work-Factor of Hash Functions Over Time

For a long time hash functions have required a work-factor in order to keep the operation "slow" enough to protect individual passwords in the case of a database leak. Bcrypt and PBKDF2 being notable examples. I'm also aware of the "Don't Roll Your…
sethmlarson
  • 1,479
  • 10
  • 17
7
votes
3 answers

HTTP Server: Response time on login request

I have a site on which I would like to prevent an unauthenticated attacker from knowing if an account exists. On the site, passwords are hashed using bcrypt, so login requests must do a bcrypt comparison (strength 12) – which takes CPU time. My…
Dev Chakraborty
  • 73
  • 5
7
votes
1 answer

How does PHP's password_hash() BCRYPT cost factor translate into cracking computation times

I am trying to fully understand the relationship between BCRYPT's COST factors and how much more time it would take a machine to crack a password with PHP 5.5's password_hash() The encryption times I observed on an average server for password_hash()…
hexalys
  • 185
  • 1
  • 6
7
votes
4 answers

Is salted MD5 or salted SHA considered secure?

Is using something like bcrypt or scrypt necessary? The hashes are so much longer to store in a database. Can one get away with using salted MD5 or SHA and still be secure?
user49654
  • 91
  • 1
  • 1
  • 2
7
votes
1 answer

The brute-force resistence of bcrypt versus MD5 for password hashing?

Can anyone give me an idea? Assume the salt(s) is/are known. For example, if I have a $k$-character long password that is hashed in MD5 versus bcrypt, is there a way to estimate how much more time it would take to brute-force in bcrypt versus MD5? I…
user49572
  • 71
  • 1
  • 1
  • 2
7
votes
1 answer

Is it possible to decrypt Bcrypt encryption?

I do have password that has been encrypted with Bcrypt and the salt . Is it possible if I want to decrypt the password into normal text ?
akiraro
  • 111
  • 1
  • 1
  • 2
1 2 3
14 15