Are you slowly starting to get really annoyed because of weak resistance to brute-force or rainbow attacks your hashing methods? If so, you should find out more about BCrypt.

As we know, passwords keeping in IT systems can be divided into two groups: hashed and encrypted. The difference is obvious, first is irreversible, second is reversible. Anyway, in this post, I want to stay focused on hashed passwords.

Why won’t just hashing work?

Because it is vulnerable to a brute-force attack or rainbow tables. On the Internet, there are a lot of prepared rainbow tables or tools to crashed hashes, which may be a desire for potentials crackers who want to obtain our passwords…

What if we used salted hashes?

It is not enough as well. Why? Because we still can use brute force attack and in conjunction with super high-end consumer graphics cards what gives us a chance to ‘crack’ passwords. This is an experiment made by Troy Hunt which proves these words:

So, what is the solution? Stretching!

Stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the time it takes to test each possible key.

This method usually consists of repeatedly hashing the function. It is simple to implement and gives very good results. BCrypt, Scrypt, Argon2, PBKDF2 are widely used key stretching algorithms and the first one


BCrypt is a cryptographic hash function, which was created specifically designed to static passwords, not to binary data. The BCrypt hash scheme contains: <salt> <pwhash>, whereas, the salt consists of the following elements:

$ <version> – version of the BCrypt algorithm
$ <rounds> – a number from 4 to 99 specifying work factor of the algorithm
$ <saltaddon> – 22 random chars added to salt. This string is verified by the regular expression [./A-Za-z0-9].

The salt and hash are stored in the database as one string. BCrypt returns a hash encoded by an internal version of Base64 binary-to-text encoding scheme. The algorithm may seem more complicated than MD5 or SHA, but using it is very simple.

Example of the generation of the BCrypt hash in Python using the py-bcrypt library:

import bcrypt

# Generate hash with own salt settings
# Generate hash with work factor 12
bcrypt.hashpw("password", bcrypt.gensalt(12))

What work factor is? It could explain as a level of the computational complexity. It means that each increase work factor causing increases the computation time twice.

To sum up, I hope, no one will want to implement BCrypt algorithm on its own, it just better use one of the existing implementations. Lastly, you need to still aware that human is the most dangerous IT security risk. Even when you have the best security and the best professionals, your drunk assistant, if he meets a sexy girl in the night club, can reveal sensitive data what could do a lot of damage later.

About The Author

I am a software developer from Poland, currently focused on the .NET platform. I’ve been incredibly passionate about IT since a young age and am always seeking to expand my skillset. Furthermore, my personal development plan includes machine learning, cryptocurrency, image processing, and the Scrum framework. Turning to the personal part of my life. I’m a licensed paraglider holding an International Pilot Proficiency Information Card, a proud Arsenal F.C. supporter and avid traveller with an infatuation for the natural beauty of New Zealand. I’m keen on unusual or extreme sports, and I love to discover and try out new things.

Related Posts

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.