Bcrypt

bcrypt
General
Designers	Niels Provos, David Mazières
First published	1999
Derived from	Blowfish (cipher)
Detail
Digest sizes	184 bit
Rounds	variable via cost parameter

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999.^[1] Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

The bcrypt function is the default password hash algorithm for OpenBSD,^[2]^{[non-primary source needed]} and was the default for some Linux distributions such as SUSE Linux.^[3]

There are implementations of bcrypt in C, C++, C#, Embarcadero Delphi, Elixir,^[4] Go,^[5] Java,^[6]^[7] JavaScript,^[8] Perl, PHP, Ruby, Python, Zig^[9] and other languages.

^ Provos N, Maziéres D (10 June 1999). A Future-Adaptable Password Scheme (PDF). 1999 USENIX Annual Technical Conference. Vol. Proceedings of the FREENIX Track. Monterey, California: The USENIX Association.
^ "CVS log for src/lib/libc/crypt/bcrypt.c". CVS Repository. OpenBSD. 23 March 2014. Revision 1.32 (first mention of bcrypt in log). Retrieved 25 May 2023. minimal change to implementation of bcrypt to not require static globals
^ "SUSE Security Announcement: (SUSE-SA:2011:035)". Security Advisories. SUSE. 23 August 2011. Archived from the original on 4 March 2016. Retrieved 20 August 2015. SUSE's crypt() implementation supports the blowfish password hashing function (id $2a) and system logins by default also use this method.
^ Whitlock, David (21 September 2021). "Bcrypt Elixir: bcrypt password hashing algorithm for Elixir". GitHub. riverrun.
^ "Package bcrypt". godoc.org.
^ "jBCrypt - strong password hashing for Java". www.mindrot.org. Retrieved 2017-03-11.
^ "bcrypt - A Java standalone implementation of the bcrypt password hash function". github.com. Retrieved 2018-07-19.
^ "bcryptjs". npm. riverrun. 7 February 2017.
^ "zigstd". GitHub. jedisct1. 26 October 2020.

[provos-1] Provos N, Maziéres D (10 June 1999). A Future-Adaptable Password Scheme (PDF). 1999 USENIX Annual Technical Conference. Vol. Proceedings of the FREENIX Track. Monterey, California: The USENIX Association.

[original-2] "CVS log for src/lib/libc/crypt/bcrypt.c". CVS Repository. OpenBSD. 23 March 2014. Revision 1.32 (first mention of bcrypt in log). Retrieved 25 May 2023. minimal change to implementation of bcrypt to not require static globals

[3] "SUSE Security Announcement: (SUSE-SA:2011:035)". Security Advisories. SUSE. 23 August 2011. Archived from the original on 4 March 2016. Retrieved 20 August 2015. SUSE's crypt() implementation supports the blowfish password hashing function (id $2a) and system logins by default also use this method.

[4] Whitlock, David (21 September 2021). "Bcrypt Elixir: bcrypt password hashing algorithm for Elixir". GitHub. riverrun.

[5] "Package bcrypt". godoc.org.

[6] "jBCrypt - strong password hashing for Java". www.mindrot.org. Retrieved 2017-03-11.

[7] "bcrypt - A Java standalone implementation of the bcrypt password hash function". github.com. Retrieved 2018-07-19.

[8] "bcryptjs". npm. riverrun. 7 February 2017.

[9] "zigstd". GitHub. jedisct1. 26 October 2020.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]