Home/ Questions/Q 8193093
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T04:21:45+00:00

I want to use Bcrypt for the password encryption in my systems. But all

  • 0

I want to use Bcrypt for the password encryption in my systems. But all the examples are something like this:

$password = $_POST['password'];
$salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22);
$hash = crypt($password, '$2a$12$'.$salt);

This looks pretty safe to me, but I was wondering, in each example, nobody hashes the password before using Bcrypt.

Due to the unique salt, Rainbow tables shouldn’t be able to crack all the passwords at once. But in case the hacker takes one record and creates a rainbow table with the salt of that particular record, he should be able to crack a weak password.

So if someone takes a weak password (let’s say ‘foo’), it would be safer to hash it first with SHA-512 before using Bcrypt. Am I right? Or is this just looking safer?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Actually the answer has to be no, it doesn’t make the hash significant stronger in a cryptographically sense. As you probably know, bcrypt (although the function to use is named crypt) is a hash function itself, not an encryption function.

    In bcrypt you pass a cost factor, which defines, how many iterations will be done (normally hundreds of them). That slows down calculation of the hash, what makes brute force attacks impracticable. Using SHA-512 before, will only add one iteration more.

    What you said about the salt is correct, but of course if you have to build a rainbow table for each password, you will simply brute force until you have found a match, no need to build the whole rainbow table.

    If the attacker has control over database and code, an additional SHA-512 will help nothing at all (only a single iteration more). If he has only the database without code (SQL-Injection), then he will recognize the bcrypt hash. He can now brute force with bcrypt, but because of the SHA-512 there aren’t any weak passwords. It’s like the SHA-512 hash would be the password to crack, so a dictionary is of no use. This is security by obscurity, but will be effective as long as the code is not known. You can get the same effect easier, by adding a fix hard coded salt (key), before using bcrypt with the unique salt.

    • 0