BCrypt Workfactor: Choosing a Strong Salt

TL;DR

BCrypt doesn’t directly use a ‘salt’ value that you choose. It generates one automatically for each password. The important setting is the ‘workfactor’, which controls how much computing power is used to hash the password, making it harder to crack. Increase the workfactor as your hardware improves to maintain security.

Understanding BCrypt

BCrypt is a popular password hashing function. It’s designed to be slow and computationally expensive, which makes brute-force attacks much more difficult. Here’s how it works:

• Salt Generation: When you hash a password with BCrypt, it automatically creates a random salt for that specific password. You don’t need to provide one.
• Workfactor: This determines the number of rounds of hashing performed. Higher workfactors take longer but are more secure.

Choosing the Right Workfactor

The workfactor is the key setting you control. Here’s how to choose it:

1. Start with a Reasonable Value: A workfactor of 10 is generally considered a good starting point for modern hardware.
2. Test Your System: Measure how long it takes to hash a password with different workfactors on your server. You want hashing to take around 0.5-1 second. This ensures it’s slow enough to deter attacks but not so slow that it impacts user experience.
3. Increase Over Time: As computers get faster, you need to increase the workfactor to maintain the same level of security. Re-evaluate your workfactor every few years.

Example (Python)

Here’s how you might use BCrypt in Python:

from bcrypt import gensalt, hashpw, checkpw

pwd = b"mysecretpassword"

# Generate a salt with workfactor 12
salt = gensalt(workfactor=12)

# Hash the password
hashed_pwd = hashpw(pwd, salt)

# Verify the password
if checkpw(pwd, hashed_pwd):
    print("Password matches!")
else:
    print("Password does not match.")

Example (PHP)

Here’s how you might use BCrypt in PHP:

<?php
$password = 'mysecretpassword';
$hashed_password = password_hash($password, PASSWORD_BCRYPT);

if (password_verify($password, $hashed_password)) {
    echo "Password matches!";
} else {
    echo "Password does not match.";
}
?>

Important Considerations

• Never Store Passwords in Plain Text: Always hash passwords before storing them.
• Use a Reputable Library: Use well-maintained BCrypt libraries for your programming language.
• Regularly Update Libraries: Keep your BCrypt library up to date to benefit from security improvements and bug fixes.