In the event of a data breach In the early 2010s, it moved from an occasional threat to a permanent reality, but as victim groups, cybersecurity researchers, law enforcement, and the public assess the impact of each incident, a question has arisen. I surfaced many times. It targets which password hashing algorithm is used to protect user passwords?
If the answer is a flawed cryptographic function like SHA-1, then victims have even more to worry about, not to mention the nightmare of passwords stored in cleartext that are not cryptographically scrambled at all. bottom. Crack the password, go directly to the user’s account, and try that password elsewhere to see if the user is reusing the password. However, if the answer is an algorithm known as bcrypt, then at least one less panic.
Bcrypt celebrates its 25th anniversary this year, and one of its co-inventors, Niels Provos, said in retrospect that, thanks to its open-source availability and technical features that have driven its longevity, It states that this algorithm has always had good energy. Provos told WIRED about the algorithms retrospective he published this week on Usenix ;login:. However, like many digital workhorses, there are now more robust and secure alternatives to bcrypt, such as scrypt and hashing algorithms known as Argon2. Provos himself said that the quarter-century milestone is good enough for bcrypt, and he hopes it will fall in popularity before it celebrates its next big birthday.
A version of bcrypt first shipped in June 1997 with the open source operating system OpenBSD 2.1. At the time, the United States still imposed strict export restrictions on cryptography. However, having grown up in Germany, Mr. Provos worked on its development while living and studying in Germany.
“I was very surprised by how popular it became,” he says. “Maybe it was because we were actually solving a real problem, but I also think it was partly because it was open source and not subject to export controls. All the languages of , now have their own implementations, so these days, if you want to do password hashing, it’s going to be available in all languages that bcrypt can operate on. One interesting thing is that it’s still valid 25 years later, it’s just crazy.”
Provos developed bcrypt with David Mazieres, Professor of Systems Security at Stanford University. Mazieres was studying at the Massachusetts Institute of Technology at the time he collaborated with Provos on his bcrypt. The two met through the open source community and worked on OpenBSD.
A hashed password is encrypted through an algorithm that converts it from a readable password to an unintelligible scramble. These algorithms are “one-way functions” and are easy to execute, but very difficult to crack or “crack”, even by the person who created the hash. For login security, when a user chooses a password, the platform they’re using creates a hash of it, and then when they sign into their account, the system takes the password they enter and hashes it. It’s a way of thinking. It then compares the result with the password hashes on file for the account. If the hashes match, login succeeds. This way the service only collects hashes for comparison, not the passwords themselves.