Reputation: 12727
Is Bcrypt used for Hashing or Encryption? A bit of confusion
I have been reading about bcrypt (application perspective). Thinking of using it to store passwords on my site.
Out of some stuff that I read it suggests either ways:
- e.g. 1: Bcrypt is a cross platform file encryption utility from bcrypt
- e.g. 2: bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm. from How To Safely Store A Password
- bcrypt is an adaptive cryptographic hash function for passwords designed by Niels Provos and David Mazières, based on the Blowfish cipher: from bcrypt wiki
What exactly is Bcrypt?
Upvotes: 29
Views: 24088
Answers (3)
Reputation: 1034
bcrypt is a key derivation function for passwords.
Also the difference between hashing (used by bcrypt) and encryption in simple words is:
- encrypted data can be decrypted via a secret key.
- Hashing is one-way, that is, if you hash the plain text it's irreversible, hence more secure. The only way to perform the verification is to re-hash the plain text and compare it with previously hashed data for equality.
Upvotes: 3
Reputation: 5286
Bcrypt encryption software uses the Blowfish algorithm designed by Bruce Schneier in 1993. [1]
The bcrypt hash function is just that, a hash function. It does not perform encryption, it hashes. It's based on the Blowfish cipher, and is considered a good thing because you can make it slower over time.
From Wikipedia:
This is not cryptographically significantly stronger than the standard Blowfish key schedule, but the number of rekeying rounds is configurable; the hashing process can therefore be made arbitrarily slow, which helps deter brute-force attacks upon the hash or salt.
In regards to storing passwords on your site, you should be encrypting passwords before you hash them.
Only after you encrypt them with some encryption algorithm (e.g. Blowfish, Rijndael / AES) should you use bcrypt to hash the ciphered passwords, and store the password hashes.
For more details on implementing password security, see the top answer to this question.
Upvotes: 10
Reputation: 14021
It is both :)
Most of the time when people mention BCrypt, they are talking about the adaptive hash algorithm, but it is also the name of an unrelated file encryption utility.
Both are based on the Blowfish cipher.
Upvotes: 27
Related Questions
- PASSWORD_DEFAULT vs PASSWORD_BCRYPT
- What's the difference between bcrypt and hashing multiple times?
- Does BCrypt uses AES 448bit encryption?
- Why is BCrypt more secure than just storing a salt and an encrypted password in the database?
- What should be stored in table while using bcrypt
- Keep in my DB the hashed passwords, not the original passwords, right ? so how do I use BCrypt.Net.BCrypt?
- Explanation of bcrypt's functionality
- PHP Bcrypt hashing
- want to verify how use bcrypt
- Is there any way to use bcrypt "hashing" in PHP 5.2?