Uses Bcrypt Algorithm to Securely store Passwords in the Database

Bcrypt algorithm - Edition #26

Hey, I'm Marco and welcome to my newsletter!

As a software engineer, I created this newsletter to share my first-hand knowledge of the development world. Each topic we will explore will provide valuable insights, with the goal of inspiring and helping all of you on your journey.

In this episode, I will introduce the Bcrypt algorithm, compare it to SHA-256, and a possible implementation in Node.js.

You can download all the code shown directly from my Github repository: https://github.com/marcomoauro/bcrypt-user-password

---

⚠️ Why it is important to avoid storing passwords in plain?

Storing passwords in plain text is a serious security risk.

If a database is hacked, all user passwords are exposed, potentially resulting in unauthorized access to accounts and sensitive information.

Reference: https://www.cybertrends.it/scoperto-nuovo-database-di-credenziali-rubate-violate-25-milioni-di-password/

Attackers can easily exploit passwords in the clear, causing identity theft, financial losses and damaging an organization's reputation.

To safeguard user data, you can use secure hashing algorithms. These algorithms encrypt passwords, making them extremely difficult for attackers to crack.

Bcrypt algorithm

Bcrypt is a widely used cryptographic hash function.

It employs a technique called adaptive hashing to protect passwords from brute force and rainbow table attacks.

Bcrypt uses a salted hashing approach, adding a random string to each password before hashing, which increases security by preventing the use of pre-calculated hash tables.

---

🔒 How does Bcrypt work?

The information the algorithm needs includes:

• password

• cost factor: a number indicating how many iterations the algorithm must perform before producing the result. Higher values require more time.

From this information, the algorithm produces a 22-character salt that is added as a prefix to the resulting hashed password. The salt makes hash dictionary and brute force attacks virtually impossible.

The output of the algorithm will always be 60 characters, structured as follows:

Reference: https://stackoverflow.com/questions/20394137/yii-cpasswordhelper-hashpassword-and-verifypassword/20399775#20399775

The cost factor is what makes the algorithm secure; it determines the number of iterations that must be performed, influencing the time and resources required to produce the final hash.

Password verification

Let's imagine we generated this hash: $2y$10$n0UIs5kJ7naTuTFkBy1veuKOkSxUFXfua0KdOKf9xYTOKKIGSJwFa from the password implementing.

The algorithm extracts the salt (n0UIs5kJ7naTuTFkBy1veu), the cost factor (10), and applies the hashing procedure again to the given password.

The computation will require 2^cost_factor (10) iterations before producing the final hash.

If the final hash matches the initial hash, the password is correct, otherwise, it is incorrect.

If we add a pepper?

A classic approach to enhancing password security is to use a pepper, an additional secret string added to the password, similar to a salt, before hashing.

The pepper is typically stored as an environment variable or in a secrets manager.

However, applying a pepper with the Bcrypt algorithm is not necessarily a good idea for several reasons: