when a data breach As the occasional threat became an enduring fact of life in the early 2010s, as victim organizations, cybersecurity researchers, law enforcement, and ordinary people assessed the aftermath of each incident, one question would arise again and again: Which What purpose does a password hashing algorithm have for protecting its users’ passwords?
If the answer is a bad cryptographic function like SHA-1 or PBKDF2 — not to mention the nightmare of having passwords stored in clear text without encryption scrambling at all — victims have even more to worry about, because it means that whoever steals the It is easier to crack the password data, directly access the user’s account, and try those passwords elsewhere to prevent people from reusing them. Still, if the answer is the algorithm known as bcrypt, then at least one less thing to panic about.
Looking back, Bcrypt, which turns 25 this year, and one of its co-inventors, Niels Provos, said the algorithm has had good traction thanks to its open-source availability and the technical features that have driven its longevity. vitality. In an interview with WIRED, Provos talked about his Usenix; login:. However, like many digital workhorses, there are now stronger and more secure alternatives to bcrypt, including hashing algorithms called scrypt and Argon2. Provos himself said the quarter-century milestone was enough for bcrypt, and he hoped it would lose popularity before celebrating another big birthday.
A version of bcrypt was first released in June 1997 with the open source operating system OpenBSD 2.1. At the time, the United States still had strict export restrictions on cryptography. But Provos, who grew up in Germany, worked on it while living and studying in Germany.
“One of the things that really surprised me was how popular it became,” he said. “I think some [it’s] Probably because it actually solves a real problem, but also because it’s open source and not subject to any export restrictions. Then everyone did their own implementation in all these other languages. So now, if you want to do password hashing, bcrypt is available in every language you could possibly use. But the other thing I find interesting is that it’s still relevant even 25 years later. That’s crazy. “
Provos developed bcrypt with David Mazieres, a system security professor at Stanford who was studying at MIT when he and Provos collaborated on bcrypt. The two met through the open source community and worked on OpenBSD.
Hashed passwords are encrypted by an algorithm that converts the readable content into an unintelligible password. These algorithms are “one-way functions” that are easy to run but difficult to decode or “crack”, even for the person who created the hash. In the case of login security, the idea is that you pick a password, the platform you use hashes it, and then when you log into your account in the future, the system takes the password you entered, hashes it, Then compare the result to the password hash in your account file. If the hashes match, the login will succeed. That way, the service only collects hashes for comparison, not the passwords themselves.