Blowfish is a symmetric block cipher with a key size between 32 and 448 bits. It was created by Bruce Schneier in 1993.
Questions tagged [blowfish]
27 questions
21
votes
3 answers
Is multiple encryption a good idea?
I know that many encryption algorithms, while secure, have vulnerabilities.
To reduce risks, would multiple encryption like this
Blowfish_CbC ( Rc2_OFB ( AES128_CBC (myfilecontent)))
be a good idea?
I know that execution time seriously increases,…
Surfer on the fall
- 787
- 3
- 8
- 17
14
votes
2 answers
Mathematically, how long would it take to crack a bcrypt password hash?
So I'm currently using bcrypt to hash passwords with a randomly generated salt (as seen in the pip bcrypt module), with 12 rounds.
I have been looking around, but I cannot find a detailed and clear mathematical way to estimate how long it would take…
madcrazydrumma
- 242
- 1
- 2
- 7
11
votes
2 answers
“Official statement” on php.net : CRYPT_BLOWFISH is strongest hash algorithm. Why?
First: I asked this question on stackoverflow and was kindly asked to post this here again. See the original question here.
According to the [early] doc pages of the new PHP 5.5 password hashing/encrypting API the used algorithm CRYPT_BLOWFISH is…
Sliq
- 259
- 2
- 9
10
votes
3 answers
Why do most hashing functions produce hashes that have characters a-f 0-9?
This is something I never understood about hashing functions. I know that algorithms like whirlpool and blowfish both produce outputs that don't follow this pattern, but why is it that most do? Is it some kind of hardware/software thing? If they…
Tar
- 347
- 1
- 4
- 7
10
votes
1 answer
PHP crypt() trims the salt as it would be too long
I am using Blowfish with PHP crypt() for password hashing but I noticed something weird. Quoting PHP documentation:
CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$",
"$2x$" or "$2y$", a two digit cost parameter, "$", and 22 digits…
cen
- 275
- 1
- 3
- 8
8
votes
7 answers
What is the best way to securely keep clear passwords?
I'm working on a web project that will connect to a database. For that, I will have to store the login/password of that database user in clear (encrypted in a symmetrical way) in order to be able to reconnect for every action (like creating table,…
Cyril N.
- 2,649
- 2
- 18
- 28
7
votes
2 answers
If the bitcoin network was cracking bcrypt, what cost factor would you use?
Since the best example of pooled resource to crack hashes is the bitcoin network, currently churning through 2.14 ExaHashes/s.
I want to ask, if the resources of this network were pointed towards cracking blowfish, and (by extension) bcrypt, what…
Amin Shah Gilani
- 171
- 4
7
votes
1 answer
Is bcrypt safe with the 64-bit block cipher birthday attack?
Recent research made it apparant that birthday attacks are now 'viable' on 64-bit block ciphers which Blowfish uses. (the paper in pdf)
At work we use BCrypt for password hashing, as I was thought that for password-hashing it was best/safer as it…
CuccoChaser
- 173
- 4
6
votes
2 answers
Explain BCrypt like I'm 5
I know this is a little bit broad, but I'd like to understand the function of this algorithm by explaining like I'm 5. And I'd like to know the difference between BCrypt and blowfish, is it because BCrypt is using a salt?
I've been reading but I see…
Skizo-ozᴉʞS
- 163
- 1
- 5
3
votes
2 answers
Is AES(Rijndael) faster than Blowfish?
I know theoretical that blowfish is much faster than aes. But I benchmarked several algorithms including aes and blowfish for 1MB, 5MB, 10MB etc. files in java 8 platform and bouncy castle library. In every test scenarios aes is faster than…
ersan
- 31
- 1
- 2
3
votes
2 answers
Is mt_rand() suitable for generating a salt?
Assumed I have to following code in order to generate a random blowfish salt for saving a new password:
$blowfishCharacters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$salt = '';
$type = '2a';
$cost = '08';
$maxIndex =…
Zwirbelbart
- 133
- 5
3
votes
4 answers
openssl blowfish key limited to 256 bits?
I get the following error if I give a key that is greater than 64 hex caracters (64*4=256 bits).
According to this official document, blowfish is able to support key from 32 to 448 bits.
Variable key length: 32 bits to 448 bits
Is it possible to…
Jonas
- 133
- 1
- 4
3
votes
2 answers
Is Blowfish validated against any standards?
OWASP ASVS 3.0 V7.7 states the following:
Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard.
Blowfish is not included in NISTs database of FIPS 140 validated modules. Has…
Anders Frey
- 33
- 3
3
votes
2 answers
How many rounds should be used to hash card numbers?
We want the ability for payments made without logging in using one of their saved payment methods to be associated with the saved payment method. E.g. if they buy a recurring subscription to magazine 1 using credit card 1, then buy another…
Chris Smith
- 222
- 2
- 9
3
votes
2 answers
Why are application/services still using outdated Blowfish encryption? Is it secure?
For example, CrashPlan, an online backup service, is using 448-bit Blowfish to encrypt its backup files (only enterprise product line has the ability to choose using AES-256). According to Blowfish's creator Bruce Schneier, people should already…
AlienBoy
- 103
- 1
- 7