Password Hashing: PBKDF2 (using sha512 x 1000) vs Bcrypt

Asked 13/12, 2010 at 20:31 Answered 3/4, 2011 at 17:26

Solved passwords hash password-protection bcrypt pbkdf2

I've been reading about the Gawker incident and several articles have cropped up regarding only using bcrypt to hash passwords and I want to make sure my hashing mechanism is secure enough to avoid switching to another method. In my current application I have opted for a PBKDF2 implementation utilising sha2-512 and a minimum of 1000 iterations.

Can I ask for opinions on using PBKDF2 vs Bcrypt and whether or not I should implement a change?

Stun answered 13/12, 2010 at 20:31 Comment(0)

As of 2022, it's best to switch to a memory-hard function, such as scrypt or Argon2. Bcrypt could also be an option, but it's not memory-hard.

As for PBKDF2, the recommendation to use 1000 iterations was made in year 2000, now you'd want much more.

Also, you should take more care when using bcrypt:

It is also worth noting that while bcrypt is stronger than PBKDF2 for most types of passwords, it falls behind for long passphrases; this results from bcrypt’s inability to use more than the ﬁrst 55 characters of a passphrase While our estimated costs and NIST’s . estimates of passphrase entropy suggest that bcrypt’s 55-character limitation is not likely to cause problems at the present time, implementors of systems which rely on bcrypt might be well-advised to either work around this limitation (e.g., by “prehashing” a passphrase to make it ﬁt into the 55-character limit) or to take steps to prevent users from placing too much password entropy in the 56th and subsequent characters (e.g., by asking users of a website to type their password into an input box which only has space for 55 characters).

From scrypt paper [PDF]

That said, there's also scrypt.

Any comparisons would be incomplete without the table from the scrypt paper mentioned above:

Estimated cost of hardware to crack a password in 1 year.

Iteration counts for PBKDF2-HMAC-SHA256 used there are 86,000 and 4,300,000.

Timmerman answered 3/4, 2011 at 17:26 Comment(6)

"asking users of a website to type their password into an input box which only has space for 55 characters." I'm sorry, but how is this applicable to the real world? I can hardly come up with 8 character passwords. – Ain 3/3, 2012 at 22:39

I know a guy that uses sequences of great chess games as passwords. He salts the sequences with the names of the players, dates, cities played, etc. I know another person who uses verses from epic poems, with intentional errors introduced. There are plenty of ways to get rilly long passwords. – Adria 8/6, 2012 at 6:24

It should be noted that there was an error in the scrypt paper, and the actual algorithmic cutoff of bcrypt is 72 characters. So there's still a cutoff, but it's got 128 more bits of entropy. Which is extremely significant. – Campanology 26/11, 2013 at 22:1

@Campanology depends on implementations (and most do accept 72 bytes), but the effective key size of Blowfish is 448 bits; while it can accept up to 576 bits (72 bytes as you say), "last four values of the P-array don't affect every bit of the ciphertext" (quote from Wikipedia en.wikipedia.org/wiki/Blowfish_(cipher)#The_algorithm). – Timmerman 27/11, 2013 at 18:1

@Ain using password phrases instead of passwords is something being done in the real world. Password phrases can easily surpass 55 characters in length, and are often easier to remember then random numbers+characters+symbols (codinghorror.com/blog/2005/07/passwords-vs-pass-phrases.html). – Rivers 11/1, 2014 at 22:46

@Rivers you are right, but you forgot to mention that password phrases are also easier to hack than randomized chars assuming the lengths are approximately the same. – Marbles 23/2, 2022 at 12:33

-9

Comment (re: the title):

Don't use encryption (reversible) to store passwords unless you MUST.
Since you presented a hashing (non-reversible) option as an alternative, I assume you don't need reversibility.

opinions on using PBKDF2 vs Bcrypt and whether or not I should implement a change?

My opinion:

Use PBKDF2 over Bcrypt. (I just have more faith in SHA than Blofish, for no reason)

As for whether you should 'implement a change', I don't know what you are asking.

Edited to more clearly separate the encryption / hashing discussion from stating my preferences w/r/t algorithm.

Guru answered 14/12, 2010 at 5:57 Comment(4)

"implement a change" meaning convert my scripts to use bcrypt instead of the PBKDF2 algo. – Stun 14/12, 2010 at 8:22

I don't believe bcrypt is encryption. It's a one way hashing mechanism base on BLOWFISH – Stun 14/12, 2010 at 8:23

BCrypt is a hashing algorithm. – Award 15/12, 2010 at 20:3

-1. Bcrypt is for hashing, not encryption. You're answer hints that it is used for encryption (which is bad for storing passwords). I'll quickly reverse my vote if you clarify your opinions in such a way that readers will not be likely to assume that Bcrypt is used for encryption. – Predominate 8/2, 2011 at 22:42

Recommended topics

Hot tags