I know this is an ‘over asked’ topic, Bcrypt, however I have a few concerns in regards to it’s secureness.
I’ve been using sha512($password.$salt) and then looked for a better solution and came across Bcrypt.
What concerns me, was when reading about it, it said the number of rounds ($02$) and salt is stored within the hash in 3 seperate ‘blocks’, like so, $rounds$.$salt.$hash (or least that’s how I’ve interpreted it).
My question is: isn’t this insecure? Displaying the number of rounds used, and the salt clearly available. Because the attacker can just go “ok I need 2 rounds, the salt is 123salt and that’s the hash”, right?
I understand when reading, it’s not ‘all’ about being secure, it’s how long it takes to crack the password, and that’s the benefit of Bcrypt, it’s slow.
Could anyone clarify my misinterpretations / misunderstandings please?
Thanks.
bcrypt is about security by irreducable complexity; not security by obscurity.
The point of a salt is to prevent the attacker from re-using calculations for multiple users.
There is nothing wrong with giving it to an attacker.
Similarly, even if the attacker knows how many rounds you’re using, that won’t same all that much time (assuming you’re using a decently high number of rounds).
The point of using many rounds is not that the attacker won’t know how many rounds to use; it’s that each rounds forces the attack to take longer.