Password hashing / KDF

bcrypt

A password hashing function built on the Blowfish cipher’s deliberately expensive key schedule. Designed by Niels Provos and David Mazières (USENIX 1999). bcrypt was the first widely-deployed password hash with a tunable cost factor; twenty-five-plus years later it’s still a fine choice when memory-hardness isn’t required.

At a glance

How the cost factor works

The cost parameter is a log₂ value. Cost 10 means 2¹⁰=1024 internal key-schedule iterations; cost 12 means 4096. Each increment doubles the time. Calibrate so an interactive login takes ~250 ms on the target hardware; bump every couple of years. bcrypt hashes embed the cost in the encoded string, so verification automatically uses the same cost.

The 72-byte limit

bcrypt is built on Blowfish, whose key size is at most 72 bytes. Inputs longer than 72 bytes are silently truncated. The standard mitigation is to pre-hash long inputs with SHA-256 / HMAC-SHA-256 and feed the digest to bcrypt:

bcrypt.hash(base64(hmac_sha256(pepper, password)), cost=12)

Not memory-hard

bcrypt only allocates ~4 KiB per attempt. That was a big number in 1999; today a single GPU has tens of GB of RAM and can run thousands of bcrypt attempts in parallel. For high-stakes password storage in new designs, prefer Argon2id.

Where it is used

• OpenBSD , where it originated.
• Linux crypt(3) , $2y$ / $2b$ identifiers.
• Rails, Django, Laravel, Spring , default password hashers for years.

The $2a$ / $2y$ / $2b$ story

Multiple prefixes exist because of historical sign-extension bugs.$2b$ is the current canonical identifier; $2y$is a PHP-specific fix; $2a$ is the original. For verification, treat all three as bcrypt; for new hashes, write$2b$.

References

• Provos & Mazières , A Future-Adaptable Password Scheme (USENIX 1999)
• Argon2id · scrypt