1. Why bcrypt?
bcrypt is a password-hashing algorithm designed specifically for security. It is:
Slow and computationally expensive → protects against brute-force attacks
Salted automatically → prevents rainbow-table attacks
Adaptive (configurable cost factor) → can be made slower as hardware improves
Widely supported → available in Python, Node.js, Go, Java, PHP, etc.
Never store passwords in plain text.
Instead, store only the bcrypt hash.
2. How bcrypt Works (Conceptually)
User provides a password.
bcrypt internally generates a random salt.
bcrypt applies its slow hash function using the chosen cost factor.
The result is a hash string that contains:
algorithm ID
cost factor
salt
derived key (hash)
This one string is all you store in the database.
3. Choosing a Good Cost Factor
The cost is expressed as a work factor (2^cost iterations).
Typical values (as of 2025):
10–12 for general web apps
12–14 for high-security systems
>14 only if your hardware can handle it
Rule of thumb:
Pick the highest cost that still keeps authentication under ~100 ms.
4. Safe Workflow for Storing Passwords with bcrypt
A. During Registration
Receive password from the user (via HTTPS).
Hash it with bcrypt using a secure cost factor.
Store only the bcrypt hash string in the database.
Do NOT store:
The plaintext password
The salt separately
Reversible encryption keys
B. During Login
Retrieve the stored bcrypt hash from the database.
Run bcrypt’s verify/compare function with the user’s input.
bcrypt automatically extracts the salt and cost from the stored hash and checks the password safely.
5. Language-Agnostic Example (Pseudocode)
Store a password
hash = bcrypt.hash(password, cost=12)
store(hash)
Verify a password
hash = loadFromDatabase(userId)
if bcrypt.verify(passwordAttempt, hash):
allowLogin()
else:
deny()
The important part is bcrypt.verify() — it performs a safe, constant-time comparison.
6. Security Best Practices
1. Always use HTTPS
Even perfect hashing fails if passwords are intercepted in transit.
2. Never log passwords
Not even for debugging.
3. Use a strong password policy
Encourage length over complexity (e.g., 12–16 characters).
4. Consider rate limiting & lockout
Protects against brute-force attacks.
5. Don’t rehash unnecessarily
Check whether the stored hash uses an outdated cost factor, and upgrade only when the user logs in.
6. Use bcrypt, scrypt, Argon2, or PBKDF2
All are secure; Argon2id is the modern recommended option, but bcrypt is still excellent and widely supported.
7. Common Mistakes to Avoid
❌ Storing plaintext passwords
❌ Using SHA256 or MD5 (too fast)
❌ Using bcrypt with cost factor < 10
❌ Writing your own hashing method
❌ Using predictable salts (bcrypt manages salts for you)
8. Summary
bcrypt stores passwords securely by hashing them using a slow, salted, adaptive algorithm that resists brute-force and rainbow-table attacks.
To use bcrypt safely: hash at registration, use verify at login, choose a good cost factor, and never store anything reversible.
Learn MERN Stack Training in Hyderabad
Read More
Role-Based Access Control in MERN Stack
Visit Our Quality Thought Training Institute in Hyderabad
Subscribe by Email
Follow Updates Articles from This Blog via Email
No Comments