Bcrypt is a cryptographic hash function that is specifically designed for hashing passwords. Which is based on the Blowfish algorithm function was designed by Niels Provos and David Mazières and presented at the USENIX conference in 1999 to the public.


To authenticate users of an application or website that is a combination of a username or e -mail address and password used in the rule. The site must store the password for this, but storing the password in an unencrypted form is a considerable security risk. If username and password are known to a third party ( for example, if the site is hacked ), it can identify yourself to the website. Since many users use the same combination of user name and password for many services, it can also affect other services.

This problem is avoided usually by means of cryptographic hash functions. In this case, a hash value of the password is determined and stored with such a function. Such functions are distinguished in that the original password can not be recovered. To authenticate the user, the user's input is hashed with the same function and compared the two hashes - if the original passwords are the same, the hash values ​​are the same.

The hash functions MD5 and Secure Hash Algorithm (SHA1, etc.) have been developed with the aim to hash the data as efficiently as possible, since they are used as well as for the verification of large files. This efficiency makes it easier on the other side, to guess the passwords using brute force attacks or to create so-called rainbow tables.


Key derivation functions such as PBKDF2, bcrypt Scrypt and also, however, were developed with the aim of making possible the hashing consuming. For normal applications, this effort to other factors is of no consequence, only when the calculation is often carried out in succession (such as during a brute force attack ), enters a significant slowdown.

The presentation of bcrypt led to this purpose some design criteria for password-based key derivation functions:

  • Bcrypt has an adjustable depending on the application cost factor, which defines the amount of work the hash value calculation. With this factor, the effort can be increased if in the future develops the capacity of the computer.
  • The function is supposed to be for the context for which it was designed, optimized. Performance advantages for hardware implementations, and other programming languages ​​should be small, since such benefits an attack benefit. A (moderate ) memory requirement limits the advantage of hardware optimizations. Bcrypt requests 14 KB of memory.
  • Software implementations are based on operations that are optimized for CPUs, such as exclusive -or, addition or shift operations.

The NIST Recommendation of 2010 PBKDF2 takes into account only the first criterion. Recorded and extends these criteria, however, were Scrypt in the key derivation function and the Password Hashing Competition.


Bcrypt only differs in some respects from the block cipher Blowfish. The slowdown mainly takes place within the password - dependent calculation of the round key and the S-boxes. These are dependent on the Salt in several rounds and modified the password through the EksBlowfishSetup function. The number of rounds is 2 raised to the cost parameters. Following this, the so generated round keys and S-boxes of the 192 -bit value " OrpheanBeholderScryDoubt " scrambled 64 times in ECB mode.


Critical is the restriction on the length of the password by bcrypt to 55 bytes, even if most passwords that limit is not exceeded. The memory requirement of 14 KB is to limit the requirement to hardware implementations, for example, in FPGAs and ASICs, not just. Nevertheless cuts bcrypt comparisons relating to attacks with specialized hardware often better than most other password - based key derivation functions, apart from Scrypt.