I’m looking into hash and salting passwords using bcrypt in PHP.
Can someone explain to me why brcypt’s use of “work” / “rounds” prevents attacks?
I’ve already read “How do you use bcrypt for hashing passwords in PHP?“, but I’m having a hard time understanding what makes it so special if someone got a hold of your database and could crack it offline?
Would it be potentially up to the salt and hash together to protect the database against rainbow tables? Or does bcrypt do something special to help prevent attacks like this?
Simply put
bcryptis “better” than some other hash algorithms like theshafamily because it’s purposely slow and can be made purposely slower by using a high iteration count. Futhermore, it requires the use of a salt which protects against the use of pre-caclulated hash values (rainbow tables). The salt value should be generated/stored together with each output of bcrypt to disallow comparisions between values of different users (in case they use the same password).Even if an attacker gets your password hashes and salts, as long as your use of
bcryptis using a high number of iterations, it won’t be possible to quickly find the matching password. It is a one way function so you would need to perform the bcrypt calculations once for each password that is tried. This is of course little protection against bad passwords.