1

When the subject of password hashing comes up, a lot of developers get exasperated by people using outdated, broken, or hand-rolled hashing schemes, and I frequently hear "just use bcrypt!" repeated like a mantra. But when I mentioned this to another developer recently, he said that bcrypt is based on Blowfish, whose author has been recommending that it be discontinued for at least 6 years now.

In the article, it appears that he's talking about Blowfish encryption, which I know is a completely different thing from password hashing, but on the other hand, you can't build a solid house on a shaky foundation. So I have to ask, is it still a good idea to use bcrypt?

Mason Wheeler
  • 1,635
  • 1
  • 11
  • 15

1 Answers1

4

The suitability of blowfish as a cipher and bcrypt as a password hash are mostly unrelated. There are many better replacements for blowfish, but not so much for bcrypt.

Blowfish is mostly discouraged because it has a better replacement in AES, not because it's broken. AES has seen a lot of analysis, during and since the competition. Another problem with blowfish is its 64-bit blocksize, which leads to relatively small limits on how much data can be encrypted using one key, whereas AES uses 128-bit blocks and can thus safely handle larger amounts of data. It also has some annoying properties, such as a slow key-setup and relatively high memory use.

PBKDF2-HMAC-SHA-1/2/3 is significantly weaker than bcrypt, so I'd only choose it if you need standard compliance or if your language only ships it but not bcrypt by default. The underlying hashes may be secure, but that doesn't make it a good password hash.

As a modern replacement for bcrypt, the only currently feasible candidate is scrypt. It offers improved security, but it's relatively new, not very popular, and hasn't seen much analysis. It hasn't been included in many standard libraries yet either. So more conservative cryptographers will prefer bcrypt over scrypt.

A competition to find a new password hash resulted in a few interesting alternatives, such as its winner Argon. But I don't consider these suitable for production for another five years or so. Perhaps in 2020 we might have a similar opinion of bcrypt as we have of blowfish now, but we're not there yet. For now bcrypt is a good choice if you're conservative, or scrypt if you're progressive.

CodesInChaos
  • 11,964
  • 2
  • 40
  • 50
  • scrypt is not a "modern replacement" for bcrypt. [Scrypt turned out not to be as good as advertised](http://crypto.stackexchange.com/questions/31855/scrypt-not-old-enough-to-be-safe) and you probably shouldn't use it for a server that is authenticating logins because it is abysmal for anything besides hard disk encryption. – sethmlarson Aug 11 '16 at 13:17