The thing with bcrypt that makes it secure is that it is much slower to compute than any other algorithm.
With any version of SHA, you can simply get the best computers and you can instantly make a rainbow table. Using bcrypt will still take age, this algorithm is expensive. Thus, it is almost impossible to extract the original passwords from the hash.
You can see this link for more information . You can also see this thread from Security StackExchange, which covers it exactly!
The fact that the hash product is smaller, well, in fact, it does not matter, because, as I said, if you want to find what password the hash comes from, it takes a lot of time.
See this sandbox . Just adding a load factor of more than 15 will take more than 3 seconds. Try playing with him and you will understand why he is protected.
Sandbox Code:
$time = microtime(true); $pass = crypt('myNewPassword', '$2y$15$usesomesillystringforsalt$'); $end_time = microtime(true); $diff = $end_time - $time; echo "$pass\n$diff"
Output:
$ 2y $ 15 $ usesomesillystringforeTfp6 / FuUgyb1HKFA36V9tf6Go5xlv /
+2,4688489437103
It takes 2.5 seconds for 1 hash! Imagine trying to use millions of passwords!