How Tough Is Bcrypt To Crack? Can It Keep Passwords Safe?
Bcrypt resilience — why it’s a key player in safeguarding against modern cyber threats.
Darren James, senior product manager of Specops Software, delves into the prowess of bcrypt in fortifying passwords. Learn how bcrypt stands against modern hacking techniques, ensuring a resilient defense
Due to the never-ending threat of cyberattacks in the current digital ecosystem, getting user password security correct should be the bare minimum expected from businesses. Yet, if we truly examine the latest industry findings, when analyzing over 800 million breached passwords, the most common base terms used in passwords were: ‘password,’ ‘admin,’ ‘welcome,’ and ‘p@ssw0rd’. Passwords containing only lowercase letters were the most common character combinations found, making up 18.82% of passwords used in attacks. Clear passwords remain one of the weakest elements in an organization’s network, leaving security teams at a critical juncture as they battle against unauthorized access and data breaches.
As a result, many have searched high and low for the best means to protect passwords, particularly for secure hashing algorithms, and this has led to the rise of bcrypt. Often hailed for its robustness in safeguarding stored passwords, bcrypt originated in 1999 from the Blowfish cipher algorithm and has emerged as a fortress of password protection. Yet, as technology advances, so do the capabilities of attackers, and further research into bcrypt has unearthed some discoveries in its overall resilience against the face of modern hackers.
Understanding Hashing Algorithms
In its basic form, password hashing places a password through a hashing algorithm to turn the plaintext into an unintelligible series of numbers and letters. They serve as a necessary vanguard against password exposure in storage systems. The one-way transformation they offer ensures that they will remain indecipherable even if a breach occurs and hackers gain access to the hashed passwords. The only way to reveal the actual password from a hash is to guess via brute force techniques or rainbow tables.
Guessing a password, the traditional way, would be impossible for a human, which is why cybercriminals rely on password-cracking software like Hashcat, L0phtcrack, or John The Ripper. A brute force attack would involve trying millions, if not billions, of combinations whilst comparing against many strings to create a password hash. With enough computer power, the task of cracking a password is becoming dangerously rapid.
To cybercriminals this presents a challenge they want to overcome and using sophisticated techniques that leverage powerful hardware and specialized software to crack hashed passwords, the race within the cybersecurity realm is certainly intensifying.
More traditional hashing algorithms like MD5 and SHA-1 were once considered the torch bearers of password protection. But even these defenses have been exposed against the relentless force of modern cracking tools. Despite this fact, despite its compromised security status, MD5 is still among the most frequently cited hash algorithms in leaked datasets.
See More: The Password Expiry Myth: Redefining Password Security
Decrypting bcrypt: A Pillar of Enhanced Password Security
Going into more granular detail, bcrypt transforms user passwords into fixed-length strings through a one-way hashing process. This means any hash reversal is virtually inconceivable, and it cannot be changed back to the original password. Each time a user logs in, the bcrypt technology will re-hash the password, comparing it to the one stored in the system’s memory to see if the two passwords match. Should the plain-text password be short, the process can make it longer and more complex for additional security. Other elements within bcrypt set it apart from other hashing methods.
1. Salting and Complexity Enhancement
To protect against dictionary and brute force attacks, bcrypt deploys salting, where a unique addition is made to each password hash. This process significantly complicates deciphering, augmenting password complexity, and thwarting common hacking tactics.
2. Cost Factor: The Guardian of Security
The ‘cost factor’ is another layer within bcrypt that raises the security bar. This capability consumes the number of password iterations created before the hash is generated and is added in front of the salt. In doing so, it can apply stronger hashing and salting, amplifying the time, effort, and computational resources required for cracking attempts. The outcome is a 24-byte hash that combines password string, salt, and cost factor, a formidable defense for any password.
Gauging the true security of bcrypt
While it may take time for a bcrypt hash to be created, it is deliberately intended to take time to crack. Cracking them is arduous for any threat actor and sets it apart from hashing algorithms MD5 and SHA-256. For example, when a combination of letters, numbers, and symbols is used in an eight-character password, the time to crack it is 286 years. Of course, short, non-complicated passwords, or common passwords like ‘123456’, will be cracked almost immediately. This is why security professionals warn businesses and users to follow security best practices and aim for longer passwords like passphrases.
If you get the right combination, will bcrypt hashing prevent password compromise? No, but then again, there is no silver bullet in cybersecurity, and despite its robustness, bcrypt hashes have been found to be exposed in data breaches. An example is the 2018 MyFitnessPal data breach, where 144 million unique email addresses, usernames, IP addresses, and passwords were exposed despite being stored as SHA-1 and bcrypt hashes. This shows that bcrypt is not impervious to breaches. However, it still stands tall amongst all others, especially regarding password protection and preventing reused credentials and compromised passwords within an organization.
Cybercriminals will typically avoid brute-forcing hashing algorithms for the reasons stated. They would much rather target low-hanging fruit, such as Active Directory passwords that are highly likely to have already been compromised. Moreover, blocking users from password reuse only increases the argument for comprehensive password security protocols within the business world. Indeed, hashing algorithms should be leveraged proactively to mitigate the risks associated with compromised credentials.
Forging Resilience with Password Security
The cybersecurity landscape is continually evolving, mainly with cybercriminals trying to cause havoc and disruption at the expense of organizations and the wider workforce. Businesses should fortify password defenses using a multifaceted approach to stand a chance. One that leverages bcrypt hashing to prevent brute force attacks, with increased user security awareness on password hygiene and stricter organizational policies to prevent the risk of password reuse. This fusion of technological fortifications, user education, and policy enforcement will reduce the likelihood of password compromise and improve the business’s overall cyber resilience.
How well do you understand bcrypt’s role in password security? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON PASSWORD SECURITY
