Why Bcrypt Can Be Unsafe for Password Hashing?
17 days ago
- #encryption
- #password-security
- #bcrypt
- bcrypt ignores any bytes after the first 72 bytes due to its Blowfish cipher foundation.
- bcrypt is slow by design, includes built-in salting, and is widely used for password hashing.
- A code example demonstrates that bcrypt only processes the first 72 bytes of a password, ignoring the rest.
- The 72-byte limit applies to bytes, not characters, affecting non-ASCII characters more due to UTF-8 encoding.
- Alternatives to bcrypt include using Argon2 or pre-hashing passwords with SHA-256/SHA-512 before bcrypt.
- Python's bcrypt package (v5.0.0+) raises errors for passwords longer than 72 bytes.
- Different languages/libraries handle the 72-byte limit differently (e.g., Go raises errors, OpenBSD truncates).
- Okta's 2024 security incident was caused by bcrypt's 72-byte limitation in cache key hashing.
- bcrypt remains suitable for typical passwords under 72 bytes, but alternatives are recommended for future security.