3

Why is it that people use other algorithms, such as bcrypt for securing passwords, and not just a few thousand iterations of an SHA-2 family algorithm?

Note: lets say for examples sake a few thousand is 10,000.

TheChef
  • 31
  • 1
  • 2
    I believe so many iterations of a hashing algorithm would be way less efficient. Also, bcrypt/salts are used to prevent the use of rainbow tables - you may want to look that up. – SaAtomic Mar 13 '17 at 12:39
  • 4
    I think all the concepts of why should one not just hash a password but one needs a salt (like done in bcrypt and others) are explained in detail in [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords). Therefore marked as duplicate. – Steffen Ullrich Mar 13 '17 at 13:42

2 Answers2

0

The point of using bcrypt over regular hashing is that throttling (key stretching) can be easily and reliably implemented which makes brute-forcing a time consuming, thus impossible job. Hash functions even with thousands of iterations are still relatively easy and no time job for the processor. Bcrypt is designed to be brute-force resistant as cryptography or computing develop. If password cracking becomes easier, you just increase the cost parameter.

CaffeineAddiction
  • 7,567
  • 2
  • 21
  • 41
Rápli András
  • 2,144
  • 1
  • 11
  • 24
0

Bcrypt implements hashing, proof of work and salting the correct way. The point of using bcrypt is 1) to not reinvent the wheel 2) getting crypto stuff right is hard if someone goes DIY

Oh, and you can increase the cost parameter without the need to update all the other hashes (so you can politely ask the users to change their password and everything will work seamlessy)