How secure are bcrypt passwords and are they difficult to crack?
The continued threat of cyber-attacks underlines the critical need for businesses to prioritize the security of user passwords as a fundamental necessity. Despite this urgency, a comprehensive analysis of more than 800 million hacked passwords reveals a disturbing trend. Shockingly, common basic terms like ‘password’, ‘admin’, ‘welcome’ and ‘p@ssw0rd’ are still among the most commonly chosen passwords. Another staggering revelation is that passwords composed mainly of lowercase letters make up a whopping 18.82% of passwords used in malicious attacks. This glaring reality underscores the vulnerability of passwords, leaving them one of the weakest links in an organization’s network defenses. As security teams face the ongoing challenge of thwarting unauthorized access and defending against data breaches, the importance of strengthening this fundamental aspect of cybersecurity cannot be overstated.
As a result, numerous security experts have conducted extensive research into optimal methods of securing passwords, focusing primarily on strengthened hashing algorithms, leading to the rise of bcrypt. Known for its formidable defenses in keeping stored passwords, bcrypt, which evolved from the 1999 Blowfish encryption algorithm, has become a bastion of password security. Nevertheless, along with technological advancements, the skill of attackers is also increasing. Consequently, continued research of bcrpyt has provided insights into its resilience amid the evolving tactics of today’s hackers.
Senior Product Manager at Specops Software, an Outpost24 company.
Why we use hash algorithms
At its core, password hashing involves subjecting a password to a hashing algorithm, converting the plain text into an incomprehensible string of alphanumeric characters. This process acts as an essential barrier against potential password compromise within storage systems. The irreversible nature of this transformation ensures that in the event of a breach where hackers obtain the hashed passwords, they will remain unfathomable. Decrypting the original password from a hash is only possible through exhaustive guesswork using brute force methods or rainbow tables.
The conventional method of manually guessing a password is virtually impossible for a human, prompting cybercriminals to resort to password cracking tools such as Hashcat, L0phtcrack or John The Ripper. A brute force attack involves testing millions, if not billions, of combinations and comparing them to an extensive set of strings to generate a password hash. With increasing computing capabilities, the process of cracking a password has become alarmingly fast.
For hackers, this presents an irresistible challenge, encouraging the use of advanced technology that uses robust hardware and specialized software to break hashed passwords. As a result, competition within the cybersecurity domain is escalating significantly.
Previously, traditional hashing algorithms such as MD5 and SHA-1 were a mainstay in the field of password security. But even these defense mechanisms have succumbed to the relentless pressure exerted by today’s cracking tools. Surprisingly, MD5 continues to appear in leaked datasets despite its compromised security status.
Unraveling Bcrypt
Delving into more intricate details, Bcrypt uses a one-way hashing procedure to convert user passwords into fixed-length strings. This irreversible transformation makes it virtually impossible to restore the hash to the original password. Each user login triggers bcrypt to re-hash the password, allowing comparison with the stored system password. Even in cases of short plaintext passwords, bcrypt can increase their length and complexity, increasing security. Furthermore, bcrypt has distinctive features that set it apart from other hashing techniques.
A. Salting and Enhanced Complexity
Bcrypt uses a salting technique to strengthen defenses against dictionary and brute force attacks. Each password hash is given a unique addition, significantly complicating decryption efforts, increasing password complexity and discouraging common hacking methods.
B. Cost factor: ensuring the level of safety
Within bcrypt, the ‘cost factor’ adds an extra layer of security. This factor controls the number of password iterations performed before the hash is generated and is included before the salt. By doing this, bcrypt applies stronger hashing and salting methods, increasing the time, resources and computing power required for cracking attempts.
Measuring the true security of bcrypt
Generating a bcrypt hash can take a significant amount of time, but this intentional delay is a crucial barrier against hacking attempts. Unlike MD5 and SHA-256 hash algorithms, cracking bcrypt hashes poses a huge challenge for any malicious actor. For example, it would take about 286 years to crack an eight-character password made up of a combination of letters, numbers and symbols. However, easy-to-guess or short passwords such as ‘123456’ can be cracked almost instantly. This underlines the importance for both companies and individuals to adhere to robust security practices by using longer, more complex passwords, such as passphrases.
While bcrypt hashing provides significant protection, it is important to note that it is not a foolproof solution against password compromise. The famous ‘Am I pwned?’ website, which allows users to check whether their personal data has been compromised by data breaches, has many examples of bcrypt hashes that have unfortunately been exposed.
There is no one-size-fits-all solution for cybersecurity, and despite its power, bcrypt hashes are susceptible to exposure to data breaches. Nevertheless, it remains an excellent choice, especially when it comes to addressing the critical issues of password reuse and compromised credentials within an organization.
Cybercriminals often avoid brute-forcing hash algorithms for a variety of reasons and instead focus on easier targets, such as exploiting compromised Active Directory passwords. Furthermore, implementing restrictions on password reuse emphasizes the need for robust password security protocols across the enterprise landscape. Embracing hash algorithms as part of a proactive strategy becomes crucial in mitigating the risks associated with compromised credentials.
Finding power in password security
As the cybersecurity landscape continues to evolve, cybercriminals strive to disrupt organizations and impact the workforce. To combat this, companies must strengthen their defenses against password-related threats through a comprehensive strategy. This includes using bcrypt hashing to thwart brute force attacks, educating users on better password practices, and implementing strong organizational policies to prevent password reuse risks. This combination of technology enrichment, user education and policy reinforcement is intended not only to reduce the likelihood of password compromise, but also to increase the company’s overall cyber resilience.
We recommended the best encryption software.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro