Bcrypt Hash Length & Data Type

TL;DR

Bcrypt hashes are typically 60 characters long and stored as strings. The length is fixed, regardless of the password’s size. They use ASCII encoding.

Understanding Bcrypt Hashes

Bcrypt is a popular password hashing function. It’s designed to be slow, making it harder for attackers to crack passwords by trying lots of guesses (brute-force attacks). Here’s what you need to know about the data type and length of bcrypt hashes:

1. Data Type

Bcrypt hashes are stored as strings, not numbers or other data types. This is important because they contain characters beyond just digits.

2. Hash Length

A standard bcrypt hash is 60 characters long. This length includes:

$2a: A marker identifying the bcrypt algorithm version (usually $2a, $2b or $2y).
10: The cost factor (also known as rounds), which determines how much computational effort is used. This can vary but 10 is common.
32 characters: The actual salt value.
26 characters: The hashed password itself.

Example:

$2a$10$EXAMPLE_SALT_VALUEEXAMPLE_HASHED_PASSWORD

3. Why the Fixed Length?

The fixed length is a key security feature. It prevents attackers from using techniques that rely on knowing the hash length to speed up cracking attempts.

4. Encoding

Bcrypt hashes are encoded using ASCII characters. This means they only use standard printable characters, making them easy to store and transmit.

5. Checking Hash Length in Code (Python Example)

It’s good practice to verify the hash length when you receive a password hash from storage or another source. Here’s how you can do it in Python using the bcrypt library:

import bcrypt

hash = "$2a$10$EXAMPLE_SALT_VALUEEXAMPLE_HASHED_PASSWORD"

if len(hash) == 60:
    print("Hash length is valid.")
else:
    print("Invalid hash length!")

6. What if the Length is Incorrect?

If a bcrypt hash isn’t exactly 60 characters long, it’s likely been tampered with or wasn’t generated correctly. You should:

Reject the hash: Do not use it for authentication.
Investigate the source: Find out why an invalid hash was provided.
Force a password reset: If the user account is compromised, require them to create a new password.

TL;DR

Understanding Bcrypt Hashes

1. Data Type

2. Hash Length

3. Why the Fixed Length?

4. Encoding

5. Checking Hash Length in Code (Python Example)

6. What if the Length is Incorrect?

Something Fresh

Zip Codes & PII: Are They Personal Data?

ZeroNet: 51% Attack Risks & Mitigation

Zero Knowledge Voting with Trusted Server

What People Reading

Feedback and data-driven updates to Googles disclosure policy

Zero-Day Vulnerabilities: User Defence Guide

YubiKey Security: Initial Setup with Yubi Cloud

Security Insider Interview Series: John McArthur, Senior Product Manager, IP Intelligence; and Rupert Young, Senior Director Software Engineering, Data Compilation and Identity, Neustar

Certificate Security in the Wild West

Categories

Partners

Just add here your partners image or promo text

Bcrypt Hash Length & Data Type

TL;DR

Understanding Bcrypt Hashes

1. Data Type

2. Hash Length

3. Why the Fixed Length?

4. Encoding

5. Checking Hash Length in Code (Python Example)

6. What if the Length is Incorrect?

Related posts

Something Fresh

What People Reading

Categories

Partners

Just add here your partners image or promo text