BCrypt is an adaptive cryptographic hash function for passwords. It incorporate a salt to protect against rainbow table attacks and is also an adaptive hash - over time it can be made slower and slower so it remains resistant to specific brute-force search attacks against the hash and the salt.
Questions tagged [bcrypt]
217 questions
5
votes
5 answers
Should BCRYPT be used for client-side password hashing
I am concerned about the use of bcrypt for client-side password generation. I am developing a password generation function to be used client-side, similar to PwdHash and PasswordMaker.
Much has been said about the advantage of using bcrypt over…
![](../../users/profiles/52245.webp)
Ken Clubb
- 183
- 1
- 8
5
votes
0 answers
Stateless REST API and secure server side password storage
RE: Duplicate - Did anyone actually read my question? The question marked as duplicate is in no way, shape, or form what I'm asking. I specifically state that a DB compromise must not allow an attacker access. Storing a session ID that can be…
![](../../users/profiles/26773.webp)
regretoverflow
- 181
- 5
5
votes
4 answers
Having a list of hashes for the same password compromise the security of the password?
An attacker want's access to a specific account, he doesn't know the password.
It's a high entropy password. +128bits
The attacker has the hash for the password (Assuming OWASP suggested bcrypt with cost 12)
The attacker has a list with n hashes…
![](../../users/profiles/252653.webp)
Justcurious
- 175
- 6
5
votes
2 answers
Is single iteration SHA-256 safe enough for hashing 128bit random number API keys?
I implemented this kind of authentication for my REST API, is this secure and is my logic sound?
I am primarily curious about the SHA-256 hash & iterations = 1 aspect. I have omitted some details and explanations about the other aspects to keep this…
![](../../users/profiles/236016.webp)
Janne Mattila
- 153
- 4
5
votes
2 answers
Scrypt + Bcrypt = cascade hashing
I've read here that hashing with differents algorithms would be a good idea.
Can you confirm that?
In your experience, is it useful and safe? Does it entail any security holes?
![](../../users/profiles/11892.webp)
Surfer on the fall
- 787
- 3
- 8
- 17
5
votes
1 answer
Dictionary attack knowing the cipher
Let's suppose I know a website is using BCrypt with salts and the default round of 10.
Can I do a dictionary attack by hashing all the words using BCrypt with the same parameters?
![](../../users/profiles/140793.webp)
Oscar
- 153
- 2
5
votes
2 answers
For high entropy credentials, is SHA256 hashing good enough?
Let's say I've got a database of high-entropy credentials (e.g. 256-bit random values) used as API keys by clients. I'd like to hash them in my database so that a database compromise doesn't allow an attacker to access my API with stolen…
![](../../users/profiles/109663.webp)
Bosh
- 223
- 1
- 5
5
votes
2 answers
Can you encrypt data using BCRYPT?
Somebody else posted a question about ghostmail (https://www.ghostmail.com/crypto) and whether it looks valid. One of the things that triggered alarm bells for me was the sentence "Account Password (This is sent and stored encrypted using BCRYPT)".…
![](../../users/profiles/99312.webp)
trallgorm
- 875
- 7
- 19
4
votes
1 answer
Securely storing passwords using PHP5
Starting note: After going through some articles and answers posted on SO related to storing secured passwords I'm still not sure whether my way of thinking is applicable to todays reality.
I'm currently thinking of a way to provide a secure…
![](../../users/profiles/72494.webp)
Kamil Gosciminski
- 143
- 5
4
votes
1 answer
Is it a good idea to use two salts?
Is it a good idea to use two salts? This is implying that one would be unique to the user, and one would be unique to the server, using Bcrypt of course.
So for example, if you're using Golang as your backend, would it be a good idea to generate a…
![](../../users/profiles/68947.webp)
Belthian
- 59
- 3
4
votes
1 answer
RESTful web application security and authentication scheme
I am building a web application where the front-end is a single-page-app and the back-end serves it through a RESTful API. I want to make sure I implement user authentication with the best security practices.
I am planning a system that will perform…
![](../../users/profiles/67322.webp)
Tom Grant
- 271
- 1
- 8
4
votes
2 answers
which memory hard hashing algorithm can equalize low-computational and high-computational power devices to utilize blockchain in the IoT?
Recently IBM and Microsoft showed their interest (IBM post, Microsoft post) in utilizing bitcoin's blockchain for internet of things (IoT) development. Let's assume that in close future the blockchain technique to be implemented in smart cars…
![](../../users/profiles/64642.webp)
Nur
- 41
- 3
4
votes
3 answers
How does ASIC cryptocoin miners affect the security of scrypt?
Is the availability of these miners a reason to favor bcrypt (or something else) over scrypt?
I mean, the goal of a password hash function is to maximize the work needed for an attacker to break a hash through brute force, dictionary or whatever,…
![](../../users/profiles/3668.webp)
Filip Haglund
- 1,593
- 1
- 11
- 20
4
votes
2 answers
BCrypt+SHA256 vs PBKDF2-SHA256
From this question, the OP posited taking a user's entered password, running it through BCrypt, then running that through SHA256 to produce a 256-bit password-derived key. (EDIT: To clarify, these two options are considered as producing a single key…
![](../../users/profiles/8281.webp)
KeithS
- 6,678
- 1
- 22
- 38
4
votes
3 answers
How is a pepper used with salted passwords?
How is a pepper (a large constant number) used after a password has been salted with a salt by a hashing function such as bcrypt?
From Sybex CISSP Official Study Guide, 8th Edition (2018):
Adding a pepper to a salted password increases the…
![](../../users/profiles/140956.webp)
BJ Dela Cruz
- 143
- 5