How safe are bcrypt passwords and are they difficult to crack?

A computer being guarded by cybersecurity
(Image credit: iStock)

The persistent danger of cyberattacks underscores the critical imperative for businesses to prioritize user password security as a fundamental necessity. Despite this urgency, a comprehensive analysis of over 800 million breached passwords reveals a disconcerting trend. Shockingly, common base terms like ‘password’, ‘admin’, ‘welcome’, and ‘p@ssw0rd’, are still among the most picked passwords. Another staggering revelation is that passwords that are predominantly composed of lowercase letters constitute a staggering 18.82% of those used in malicious attacks. This glaring reality underscores the vulnerability of passwords, perpetuating them as one of the weakest links within an organization’s network defenses. As security teams confront the perpetual challenge of thwarting unauthorized access and fortifying against data breaches, the criticality of fortifying this fundamental aspect of cybersecurity cannot be overstated.

As a consequence, numerous security experts have extensively explored optimal methods to secure passwords, especially focusing on fortified hashing algorithms, resulting in the ascendancy of bcrypt. Renowned for its formidable defense in preserving stored passwords, bcrypt, stemming from the 1999 Blowfish cipher algorithm, has evolved into a bastion of password security. Nevertheless, in tandem with technological progress, the prowess of attackers also advances. Consequently, ongoing scrutiny of bcrpyt has unveiled insights into its resilience amidst the evolving tactics of contemporary hackers.

Darren James

Senior Product Manager at Specops Software, an Outpost24 company.

Why we use hashing algorithms

At its core, password hashing involves subjecting a password to a hashing algorithm, converting the plain text into an incomprehensible sequence of alphanumeric characters. This process acts as an essential barrier against potential password compromise within storage systems. The irreversible nature of this transformation guarantees that in the event of a breach where hackers acquire the hashed passwords, they remain inscrutable. Decrypting the original password from a hash is only achievable through exhaustive guesswork using brute force methods or rainbow tables.

The conventional method of manually guessing a password is virtually impossible for a human, prompting cybercriminals to resort to password cracking tools such as Hashcat, L0phtcrack, or John The Ripper. A brute force attack entails testing millions, if not billions, of combinations and cross-checking them against an extensive range of strings to generate a password hash. With increasing computational capabilities, the process of cracking a password has become alarmingly swift.

For hackers, this poses an irresistible challenge, spurring the use of sophisticated technology that harnesses robust hardware and specialized software to breach hashed passwords. Consequently, the competition within the cybersecurity domain is escalating significantly.

Previously, traditional hashing algorithms like MD5 and SHA-1 stood as stalwarts in password protection. However, even these defenses have succumbed to the relentless pressure exerted by contemporary cracking tools. Surprisingly, MD5 remains prevalent in leaked datasets despite its compromised security stature.

Unravelling bcrypt

Delving into more intricate details, bcrypt employs a one-way hashing procedure to convert user passwords into fixed-length strings. This irreversible transformation ensures that reverting the hash back to the original password is practically impossible. Each user login triggers bcrypt to rehash the password, enabling a comparison with the stored system password. Even in instances of short plain-text passwords, bcrypt can enhance their length and complexity, thereby bolstering security. Additionally, bcrypt boasts distinctive features that differentiate it from other hashing techniques.

a. Salting and enhanced complexity

Bcrypt employs a salting technique to fortify defenses against dictionary and brute force attacks. Each password hash receives a unique addition, significantly complicating decryption efforts, thereby enhancing password complexity and deterring common hacking methods.

b. Cost factor: safeguarding security levels

Within bcrypt, the ‘cost factor’ adds another layer of security. This factor regulates the number of password iterations performed before generating the hash and is incorporated ahead of the salt. By doing so, bcrypt applies stronger hashing and salting methods, amplifying the time, resources and computational power needed for cracking attempts.

Gauging the true security of bcrypt

Generating a bcrypt hash might require a considerable amount of time but this deliberate delay serves as a crucial barrier against hacking attempts. Unlike MD5, and SHA-256 hashing algorithms, cracking bcrypt hashes presents a formidable challenge for any malicious actor. For instance, an eight-character password comprising a mix of letters, numbers and symbols would take around 286 years to crack. However, easily guessable or short passwords like ‘123456’ can be cracked almost immediately. This underscores the importance for both businesses and individuals to adhere to robust security practices by employing longer, more complex passwords, such as passphrases.

While bcrypt hashing offers significant protection, it's important to note that it isn't a fail-safe solution against password compromise. The well-known ‘Have I Been Pwned?’ website, that allows users to check whether their personal data has been compromised by data breaches, has many examples of bcrypt hashes that have been unfortunately exposed.

Cybersecurity doesn’t have a one-size-fits-all remedy, and despite its strength, bcrypt hashes have been susceptible to exposure in data breaches. Despite this, it remains a standout choice, especially in addressing the critical issues of password reuse and compromised credentials within an organization.

Cybercriminals often steer clear of brute-forcing hashing algorithms due to various reasons and instead focus on easier targets, such as exploiting compromised Active Directory passwords. Furthermore, implementing restrictions on password reuse emphasizes the necessity for robust password security protocols in the corporate landscape. Embracing hashing algorithms as part of a proactive strategy becomes crucial in mitigating the risks linked to compromised credentials.

Finding strength in password security

As the cybersecurity landscape constantly shifts, cybercriminals strive to disrupt organizations and impact the workforce. To combat this, businesses must strengthen their defenses against password-related threats through a comprehensive strategy. This includes utilizing bcrypt hashing to thwart brute force attacks, educating users about better password practices, and implementing stringent organizational policies to prevent password reuse risks. This combination of technological fortification, user education, and policy reinforcement aims not just to decrease the chances of password compromise, but also to enhance the overall cyber resilience of the business.

We featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Darren James is a Product Specialist and cyber security expert at Specops Software.