Highest Voted 'bcrypt' Questions - IT Security Stack Exchange

7

votes

1 answer

Is BCrypt enough when saving a password into a database?

In order to allow users to connect to my website, I encrypt their password using BCrypt since it is one of the slowest algorithms to decrypt (making a compromised database longer to be decrypted). But I was wondering if that was enough -- or if…

asked May 08 '12 at 18:30

Cyril N.

2,649
2
18
28

7

votes

2 answers

If the bitcoin network was cracking bcrypt, what cost factor would you use?

Since the best example of pooled resource to crack hashes is the bitcoin network, currently churning through 2.14 ExaHashes/s. I want to ask, if the resources of this network were pointed towards cracking blowfish, and (by extension) bcrypt, what…

passwords password-cracking bcrypt bitcoin blowfish

asked Dec 04 '16 at 15:44

Amin Shah Gilani

171
4

7

votes

2 answers

Estimate the time to crack passwords using bcrypt

I am reading on the Ashley Madison password exposure case. Dean Pierce was able to output about 4000 cracked passwords within 5 days given his system. I'm assuming that he generated a table of hashes to compare 1 to 1. My question is, how long does…

password-cracking bcrypt

asked Oct 14 '16 at 01:16

user2197917

71
1
1
2

7

votes

1 answer

How To Proper Handle Passwords In C#

It's a well known fact that C# string is pretty insecure, it's not pinned in RAM, the Garbage Collector can move it, copy it, leave multiple traces of it in RAM and the RAM can be swapped and be available as a file to be read, not mentioning several…

.net memory bcrypt string

asked Sep 19 '16 at 23:37

mFeinstein

241
4
13

7

votes

1 answer

Is bcrypt safe with the 64-bit block cipher birthday attack?

Recent research made it apparant that birthday attacks are now 'viable' on 64-bit block ciphers which Blowfish uses. (the paper in pdf) At work we use BCrypt for password hashing, as I was thought that for password-hashing it was best/safer as it…

encryption bcrypt blowfish

asked Aug 24 '16 at 15:36

CuccoChaser

173
4

6

votes

1 answer

Password strengthening for PGP

I'm wondering about some of the semantics and security implications of using something like scrypt or bcrypt to "enhance" a password protecting a PGP private key. Essentially, I'm asking about the implications of using the scrypt of a password as…

public-key-infrastructure pgp bcrypt scrypt

asked Jul 25 '13 at 17:46

Ryan Marcus

163
4

6

votes

1 answer

How to get other people's bcrypt hashes to add to htpasswd file

I need to restrict some webpages to certain users and I do this using a .htpasswd file through nginx. The problem is I need to add other people's bcrypt password hashes to my .htpasswd file. Would it be possible for them to generate it using…

bcrypt

asked Jul 11 '13 at 20:31

user1812844

355
1
3
6

6

votes

1 answer

Is the execution time for bcrypt independent of the length of the input string?

Is the execution time for bcrypt independent of the length of the input string? i.e. Should the execution time of bcrypt.hashpw('input_string', bcrypt.gensalt(12)) and bcrypt.hashpw('arbitrarily_longer_input_string', bcrypt.gensalt(12)) be in…

hash bcrypt

asked May 02 '13 at 14:33

mmcnickle

163
3

6

votes

1 answer

Security of bcrypt/sha256 key used with AES to encrypt a file

I'm looking to encrypt files using secure hashing and encryption algorithms in Python. Having used bcrypt in the past, I decided to use it for my passphrase calculator, then pass the output through SHA256 in order to get my 32 bytes of data, then…

encryption passwords aes bcrypt sha256

asked Jan 22 '13 at 04:03

Naftuli Kay

6,715
9
47
75

6

votes

2 answers

Explain BCrypt like I'm 5

I know this is a little bit broad, but I'd like to understand the function of this algorithm by explaining like I'm 5. And I'd like to know the difference between BCrypt and blowfish, is it because BCrypt is using a salt? I've been reading but I see…

encryption passwords bcrypt blowfish

asked Mar 27 '19 at 11:13

Skizo-ozᴉʞS

163
1
5

6

votes

1 answer

Ruby Devise salt exposed

The remember_user_token cookie token generated by the Ruby Devise authentication component reveals part of a bcrypt salted credential when decoded. For…

bcrypt credentials ruby rails

asked Mar 26 '18 at 05:25

user1330734

389
7
16

6

votes

3 answers

Trying to understand password hashing

I am trying to get a grasp of password hashing. Back in the days it seemed so simple, just MD5(password + salt) and you are done. Then md5 was proven to have collisions so people started moving to SHA1 and so on. Then we started talking about…

passwords hash password-management bcrypt pbkdf2

asked Jul 25 '12 at 09:04

Chris Dale

16,119
10
56
97

6

votes

2 answers

Can I trust a security hash implementation after testing it with random inputs against another implementation?

Let's say I want to use a security hashing algorithm, like bcrypt, and I want to use a young bcrypt implementation, e.g. called libfancybcrypt, instead of an well established implementation. Of course, I can simply generate a few thousand or…

cryptography hash bcrypt opensource library

asked May 06 '17 at 09:39

Lukas Kalbertodt

293
1
7

6

votes

2 answers

Are there any security bugs with UTF-8?

I have just recently decided to allow all characters for my website. Are there any common security bugs that I need to deal with? are there any ways to "inject" using utf-8? Is it safe to allow users to use passwords with non english alphabetical…

php injection bcrypt

asked Aug 12 '16 at 20:27

user120698

6

votes

3 answers

How hard would it be to crack bcrypt hashes if the salt is unknown?

(This is not a duplicated of the linked question IMHO as this is more about the differences between a salt and password: both variables used to generate a hash) Let's say an attacker has offline access to a database in which passwords are hashed…

passwords hash salt bcrypt

asked Jul 25 '16 at 06:16

lepe

2,184
2
15
29

Questions tagged [bcrypt]