Bcrypt
Last updated
Last updated
Bcrypt is another cryptographic KDF function, older than Scrypt, and is less resistant to ASIC and GPU attacks. It provides configurable iterations count, but uses constant memory, so it is easier to build hardware-accelerated password crackers.
You can play with Bcrypt here: https://www.dailycred.com/article/bcrypt-calculator.
In many applications, frameworks and tools (e.g. in the database of WordPress sites), Bcrypt encrypted passwords are stored together with the algorithm settings and salt, into a single string (in certain format), consisting of several parts, separated by $
character. For example, the password p@ss~123
can be stored in the Bcrypt encrypted format like this (several examples are given, to make the pattern apparent):
When configured properly Bcrypt is considered a secure KDF function and is widely used in practice. It is considered that Scrypt is more secure than Bcrypt, so modern applications should prefer Scrypt (or Argon2) instead of Bcrypt. Still, this recommendation is disputable, but I personally prefer Argon2.