Are you slowly starting to get really annoyed because of weak resistance to brute-force or rainbow attacks your hashing methods? If so, you should find out more about BCrypt.
As we know, passwords keeping in IT systems can be divided into two groups: hashed and encrypted. The difference is obvious, first is irreversible, second is reversible. Anyway, in this post, I want to stay focused on hashed passwords.
Why won’t just hashing work?
Because it is vulnerable to a brute-force attack or rainbow tables. On the Internet, there are a lot of prepared rainbow tables or tools to crashed hashes, which may be a desire for potentials crackers who want to obtain our passwords…
What if we used salted hashes?
It is not enough as well. Why? Because we still can use brute force attack and in conjunction with super high-end consumer graphics cards what gives us a chance to ‘crack’ passwords. This is an experiment made by Troy Hunt which proves these words: https://www.troyhunt.com/our-password-hashing-has-no-clothes/
So, what is the solution? Stretching!
Stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the time it takes to test each possible key.
This method usually consists of repeatedly hashing the function. It is simple to implement and gives very good results. BCrypt, Scrypt, Argon2, PBKDF2 are widely used key stretching algorithms and the first one
BCrypt is a cryptographic hash function, which was created specifically designed to static passwords, not to binary data. The BCrypt hash scheme contains: <salt> <pwhash>, whereas, the salt consists of the following elements:
$ <version> – version of the BCrypt algorithm
$ <rounds> – a number from 4 to 99 specifying work factor of the algorithm
$ <saltaddon> – 22 random chars added to salt. This string is verified by the regular expression [./A-Za-z0-9].
The salt and hash are stored in the database as one string. BCrypt returns a hash encoded by an internal version of Base64 binary-to-text encoding scheme. The algorithm may seem more complicated than MD5 or SHA, but using it is very simple.
Example of the generation of the BCrypt hash in Python using the py-bcrypt library:
import bcrypt # Generate hash with own salt settings bcrypt.hashpw("password","$2a$12$1234567890123456789012") # Generate hash with work factor 12 bcrypt.hashpw("password", bcrypt.gensalt(12))
What work factor is? It could explain as a level of the computational complexity. It means that each increase work factor causing increases the computation time twice.
To sum up, I hope, no one will want to implement BCrypt algorithm on its own, it just better use one of the existing implementations. Lastly, you need to still aware that human is the most dangerous IT security risk. Even when you have the best security and the best professionals, your drunk assistant, if he meets a sexy girl in the night club, can reveal sensitive data what could do a lot of damage later.