Bcrypt Hash Length & Data Type

G5 Cyber Security

2 weeks ago

TL;DR

Bcrypt hashes are typically 60 characters long and stored as strings. The length is fixed, regardless of the password’s size. They use ASCII encoding.

Understanding Bcrypt Hashes

Bcrypt is a popular password hashing function. It’s designed to be slow, making it harder for attackers to crack passwords by trying lots of guesses (brute-force attacks). Here’s what you need to know about the data type and length of bcrypt hashes:

1. Data Type

Bcrypt hashes are stored as strings, not numbers or other data types. This is important because they contain characters beyond just digits.

2. Hash Length

A standard bcrypt hash is 60 characters long. This length includes:

$2a: A marker identifying the bcrypt algorithm version (usually $2a, $2b or $2y).
10: The cost factor (also known as rounds), which determines how much computational effort is used. This can vary but 10 is common.
32 characters: The actual salt value.
26 characters: The hashed password itself.

Example:

$2a$10$EXAMPLE_SALT_VALUEEXAMPLE_HASHED_PASSWORD

3. Why the Fixed Length?

The fixed length is a key security feature. It prevents attackers from using techniques that rely on knowing the hash length to speed up cracking attempts.

4. Encoding

Bcrypt hashes are encoded using ASCII characters. This means they only use standard printable characters, making them easy to store and transmit.

5. Checking Hash Length in Code (Python Example)

It’s good practice to verify the hash length when you receive a password hash from storage or another source. Here’s how you can do it in Python using the bcrypt library:

import bcrypt

hash = "$2a$10$EXAMPLE_SALT_VALUEEXAMPLE_HASHED_PASSWORD"

if len(hash) == 60:
    print("Hash length is valid.")
else:
    print("Invalid hash length!")

6. What if the Length is Incorrect?

If a bcrypt hash isn’t exactly 60 characters long, it’s likely been tampered with or wasn’t generated correctly. You should:

Reject the hash: Do not use it for authentication.
Investigate the source: Find out why an invalid hash was provided.
Force a password reset: If the user account is compromised, require them to create a new password.