Reputation: 69
Is Storing of Bcrypt hashed password directly in DB is advisable?
Because the format of hashed string ($2y$10$salt....) itself gives clues to hacker(i.e, who hacked the DB) that the encryption is done using Bcrypt algorithm and so he can easily hack by using password_verify() in php by passing parameters as his guess passwords.
Upvotes: 1
Views: 1111
Answers (1)
Reputation: 24071
There is no disadvantage in storing those BCrypt hashes directly in the database, none of the parameters are meant to be secret. Furthermore they allow to switch to a better algorithm (or increase the cost factor), without becoming incompatible with older hashes.
If those parameters would be hidden somehow, an attacker would have to guess them. But there are not this many possible values, a cost factor e.g. only makes sense between 9-13. If you really want to add such a server side secret, there are much better ways to do it. You could encrypt (two-way) the already hashed values with a strong key, then an attacker has to "guess" this key, which is impossible.
Upvotes: 1
Related Questions
- Proper way to store BCrypt Hashes on MySQL
- Do I need to split the BCRYPT hash into separate strings inside my database?
- PHP - hashing passwords with bcrypt
- How do I store user password with Bcrypt
- PHP password_hash() / bcrypt
- What should be stored in table while using bcrypt
- Hash passwords with bcrypt in the database or in php code?
- How to handle BCrypt hashed passwords?
- Using bcrypt for user passwords
- Storing bcrypt hashes