Bcrypt - Moore's Law Compliance

Question

Bcrypt - Moore's Law Compliance

I use bcrypt to store passwords in my database using a work factor of 7, which takes about 0.02 seconds for a password hash on my reasonably modern laptop.

Koda Hale says that using bcrypt allows you to "keep up with Moore's law" by adjusting the coefficient of work. But there is no way to re-encrypt the user password, since I do not store plaintext. How can I keep my database up to date and hard to hack (assuming it hangs around for 5+ years, why would this become a problem)?

+4

passwords bcrypt cryptography

nornagon Apr 29 '11 at 11:07

source share

1 answer

nornagon · Accepted Answer · 2011-04-29T11:09:03+0000

Re-encrypt at login. See Optimal bcrypt performance .

Remember that this value is stored in the password: $2a$(2 chars work)$(22 chars salt)(31 chars hash) . This is not a fixed value.
If you find that the load is too high, just make sure that at the next login you stick together something faster for calculation. Similarly, over time, and you get the best servers, if loading is not a problem, you can update the strength of your hash at login.
The trick is to keep it for about the same amount of time forever in the future along with Moore's law. The number is log2, so every time computers double in speed, add 1 to the default number ...

Bcrypt - Moore's Law Compliance

More articles: