A Popular Password Hashing Algorithm Starts Its Long Goodbye
">
When data breaches went from being an occasional threat to a persistent fact of life during the early 2010s, one question would come up again and again as victim organizations, cybersecurity researchers, law enforcement, and regular people assessed the fallout from each incident: Which password hashing algorithm had the target used to protect its users' passwords?
If the answer was a faulty cryptographic function like SHA-1--not to mention the nightmare of passwords stored in plaintext with no encryption scrambling at all--the victim had more to worry about because it meant that it would be easier for whoever stole the data to crack the passwords, directly access users' accounts, and try those passwords elsewhere to see if people had reused them. If the answer was the algorithm known as bcrypt, though, there was at least one less thing to panic about.
Bcrypt turns 25 this year, and Niels Provos, one of its coinventors, says that looking back, the algorithm has always had good energy, thanks to its open source availability and the technical characteristics that have fueled its longevity. Provos spoke to WIRED about a retrospective on the algorithm that he published this week in Usenix ;login:. Like so many digital workhorses, though, there are now more robust and secure alternatives to bcrypt, including the hashing algorithms known as scrypt and Argon2. Provos himself says that the quarter-century milestone is plenty for bcrypt and that he hopes it will lose popularity before celebrating another major birthday.
A version of bcrypt first shipped with the open source operating system OpenBSD 2.1 in June 1997. At the time, the United States still imposed stringent export limits on cryptography. But Provos, who grew up in Germany, worked on its development while he was still living and studying there.
"One thing I found so surprising was how popular it became," he says. "I think in part it's probably because it was actually solving a problem that was real, but also because it was open source and not encumbered by any export restrictions. And then everybody ended up doing their own implementations in all these other languages. So these days, if you are faced with wanting to do password hashing, bcrypt is going to be available in every language that you could possibly operate in. But the other thing that I find interesting is that it's even still relevant 25 years later. That is just crazy."
Provos developed bcrypt with David Mazieres, a systems security professor at Stanford University who was studying at the Massachusetts Institute of Technology when he and Provos collaborated on bcrypt. The two met through the open source community and were working on OpenBSD.
Hashed passwords are put through an algorithm to be cryptographically transformed from something that's readable into an unintelligible scramble. These algorithms are "one-way functions" that are easy to run but very difficult to decode or "crack," even by the person who created the hash. In the case of login security, the idea is that you choose a password, the platform you're using makes a hash of it, and then when you sign in to your account in the future, the system takes the password you input, hashes it, and then compares the result to the password hash on file for your account. If the hashes match, the login will be successful. This way, the service is only collecting hashes for comparison, not passwords themselves.
The innovation of bcrypt was that it included a security parameter that could be tuned over time to require more and more computing power to crack bcrypt hashes. This way, as broadly available processing speed increased, bcrypt hashes could become more and more difficult to crack.
"It's one of those ideas that's so obvious in retrospect," Mazieres says. "Of course, it's cool that bcrypt was a thing Niels and I did. But I think the important thing is, whatever password hashing algorithm we have, that there be some sort of security parameter to make it harder [in a way] that's a function of computing resources."
The next generation of hash functions requires more memory to attempt to crack hashed passwords, in addition to processing power.
"The problem was that computers keep getting faster, so a function that seems 'slow' today might be fast on tomorrow's computer," says Johns Hopkins cryptographer Matthew Green. "The idea behind bcrypt was to make this adjustable. So over time, you could crank up the difficulty level very easily. But then the problem became that people have made guessing even faster by taking advantage of specialized hardware that can compute many things in parallel. This undermines security for functions like bcrypt. So the more recent idea is to use functions that also require a lot of memory, as well as computation, on the theory that parallel attacks won't be able to scale this resource as well."
Password security is always lagging, though, and both Provos and Mazieres expressed disbelief and disappointment that the state of passwords broadly has not evolved in decades. Even new schemes like passkeys are only just beginning to emerge.
"Bcrypt should have been superseded already," Provos says. "It's surprising how much reliance we still have on passwords. If you had asked me 25 years ago, I would not have guessed that."
Provos has turned to making cybersecurity- and authentication-themed electronic dance music under the DJ name Activ8te as a way to share his ideas about security with a broader audience and attempt to create cultural change in how people approach their personal security. Mazieres emphasizes, too, that the tech industry has done people a disservice by training them to authenticate in dangerous ways--clicking on links and plugging in passwords constantly and often indiscriminately.
Even if bcrypt's moment is passing, its inventors say it's still worth investing time and effort into efforts to improve digital authentication and security more broadly and to help people bolster their own digital defenses.
"There was a version of the world where I would just make music and do blacksmithing," Provos says. "But the state of security still makes me so sad that I still feel like I have to contribute back somehow."