Blog | G5 Cyber Security

BCrypt Workfactor: Choosing a Strong Salt

G5 Cyber Security

TL;DR

BCrypt doesn’t directly use a ‘salt’ value that you choose. It generates one automatically for each password. The important setting is the ‘workfactor’, which controls how much computing power is used to hash the password, making it harder to crack. Increase the workfactor as your hardware improves to maintain security.

Understanding BCrypt

BCrypt is a popular password hashing function. It’s designed to be slow and computationally expensive, which makes brute-force attacks much more difficult. Here’s how it works:

Choosing the Right Workfactor

The workfactor is the key setting you control. Here’s how to choose it:

  1. Start with a Reasonable Value: A workfactor of 10 is generally considered a good starting point for modern hardware.
  2. Test Your System: Measure how long it takes to hash a password with different workfactors on your server. You want hashing to take around 0.5-1 second. This ensures it’s slow enough to deter attacks but not so slow that it impacts user experience.
  3. Increase Over Time: As computers get faster, you need to increase the workfactor to maintain the same level of security. Re-evaluate your workfactor every few years.

Example (Python)

Here’s how you might use BCrypt in Python:

from bcrypt import gensalt, hashpw, checkpw

pwd = b"mysecretpassword"

# Generate a salt with workfactor 12
salt = gensalt(workfactor=12)

# Hash the password
hashed_pwd = hashpw(pwd, salt)

# Verify the password
if checkpw(pwd, hashed_pwd):
    print("Password matches!")
else:
    print("Password does not match.")

Example (PHP)

Here’s how you might use BCrypt in PHP:

<?php
$password = 'mysecretpassword';
$hashed_password = password_hash($password, PASSWORD_BCRYPT);

if (password_verify($password, $hashed_password)) {
    echo "Password matches!";
} else {
    echo "Password does not match.";
}
?>

Important Considerations

Exit mobile version