DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

jyeett
jyeett

Posted on

What is Bcrypt and Why?

In a large majority of the apps we use today, there will be a sign-in feature that requires you to have an account associated with a username or email, and a password. But how can we ensure that our password will be safe from malicious attacks targeting our data? To do this, our app will need a way to encrypt our user's password and store it in a place where it can only be accessed on the backend. While there are many algorithms out there that can do this, we will talk a bit about why bcrypt is one of the leading choices.

What is Bcrypt?

Bcrypt is an algorithm that will allow your application to take the user inputted password and convert it into a hash, which can be thought of as a "digital fingerprint." This hash cannot be reversed back into the original password, so upon login, the application must compare hashes to determine if the correct password was given. Creating just this hash may sound pretty good, but bcrypt can make it better still. Bcrypt will add a random chunk of data called a salt to the password before it is hashed to make it even more unique. To top that off, there is an adaptable cost parameter that can be used to control the number of iterations the algorithm will go through. We will talk about the importance of the cost in the next section.

Why Bcrypt?

What makes bcrypt a bit more special than some other encryption algorithms is that it is considered a slow algorithm. Many algorithms you may be familiar with are looking for the fastest possible runtime in order to maximize optimal response time and space complexity. However in the case of bcrypt, we want the slowest runtime within reason of our user experience. Slowing down this algorithm reduces the possible number of 'guesses' an attacker could make to access your password. For example, we could have users wait for our algorithm to run for 1 or 2 seconds before logging them in, but this amount of time would drastically slow an attacker who would want to try thousands of passwords a second. The cost is what controls how optimized our bcrypt algorithm will be. When deciding on a cost, you want to find a balance between security and usability. The higher the cost, the more secure it will be, but the longer it will take to run.

Comparing to Other Encryption Algorithms

Bcrypt has been compared largely to md5 and SHA algorithms when considering cryptography. The main difference as previously mentioned is that bcrypt is a slow algorithm, while both md5 and SHA are built to be fast. Md5 has been found to be severely compromised due to the fact that its hashes can easily be read through a collision attack, where modern computers can find matching hashes in a matter of seconds. SHA1 in particular is comparable to md5, while the SHA-2 series of algorithms has been built to be more robust, but still has the vulnerabilities of being a fast algorithm.

Bcrypt Compatibility

Being one of the leading encryption tools, bcrypt naturally has implementations in many languages such as C based languages, Golang, Java, Python, PHP, Ruby, and others. In Ruby on Rails for example, by adding the bcrypt gemfile to your application, you will have access to the method "has_secure_password" which includes all of bcrypt's necessary functionality, making implementation much easier on developers. Likewise in other languages, there will be many built in methods to the respective libraries.

If you would like to learn more about bcrypt here are some great resources:

Top comments (0)

Let's Get Wacky


Use any Linode offering to create something unique or silly in the DEV x Linode Hackathon 2022 and win the Wacky Wildcard category

β†’ Join the Hackathon <-