I recently discovered that Patreon uses hash, but what is it? When I searched it up, I found: "bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999." What does that mean?
Asked
Active
Viewed 85 times
-1
-
2Does this answer your question? [How does hashing work?](https://security.stackexchange.com/questions/33860/how-does-hashing-work), [Explain BCrypt like I'm 5](https://security.stackexchange.com/questions/206217/explain-bcrypt-like-im-5) – Steffen Ullrich Jan 19 '23 at 05:52
1 Answers
1
In computer security or cryptography, a hash is the output of a hashing function. A hashing function or algorithm has a set of desirable attributes for some security requirements:
- The input is always an array of bytes of any size
- The output is always an array of bytes, the size of which is usually fixed by each algorithm
- The function is one-way, meaning that if you have the output, finding the input can only be done by trying all possibilities (brute force)
- two different inputs should always have different outputs**
** side note: this isn't guaranteed for any input size, this can't happen, but, in reality, hashing functions are made such that constructing two different inputs with the same output is very hard or there is no obvious way to do it.
Examples of these functions include MD5, SHA256, SHA512, etc.
One use for such a function could be checking if a file has changed or is different than an expected one (for example, if you receive a file from someone and have a different value for the hash of it than the one who sent it to you, then the file might have been tampered with), other uses include digital signatures, message authentication and so on.
Now, for the use that you specified, websites and other services where users need to log in using passwords use (or should use) a subclass of hashing algorithms called password hashing algorithms and don't store the user's password as is, but, they store a hash of it.
When a user registers, the username (and/or email) is stored, alongside the password hash, when a user wants to log into the platform the password hash associated with that username is retrieved and checked against the password introduced by the user if the hashes are the same, then it means the password is the same and then the user is authenticated (or asked for other MFA credentials).
The reason for this is that if an attacker or a malicious insider can only obtain the usernames and hashes, then they can't access the user's account without brute-forcing the hashes (which should be hard for complex passwords).
Algorithms for password hashing (such as bcrypt) have some added properties (as opposed to MD5, SHA256, SHA512, etc which are cryptographic hash functions and should never be used for password storage):
- they are meant to be "salted", meaning that besides the provided input (password), there is also a randomly generated secondary input (salt) making it such that it's impossible to tell if two users use the same password and makes it impossible to use rainbow tables (precomputed input-output pairs for the hashing function) since you also need the salt to compute the hash
- they are meant to be slow (the slower a function is, the harder it is for an attacker to brute-force a hash) and impossible to be implemented as a circuit (also an anti-bruteforce measure, since hardware that is made to do only one thing is faster than a CPU / GPU that is meant to do a lot more things)
Zitian Yang
- 3
- 4
Zicar
- 56
- 1