Intro
If you're into Cryptography For Beginners, you're in the right place. Maybe you're just getting into Rails and want to add a user ...
For further actions, you may consider blocking this person and/or reporting abuse
Wow, This was the best article I have ever read about Bcrypt.
You could also add that it is one of the password hashing algorithms recommended by OWASP:
owasp.org/www-project-cheat-sheets...
You could also write your own article but you haven’t
I don't see the point of writing an article on something that is already explained well in this post and that has a lot of resources online.
I also don't see the point of your comment.
Overall is a very good article about the topic. But I find it misleading a bit when you say:
MD5, yes, that one definitely shouldn't be around anymore in anything related with security.
SHA1 might be stronger than MD5, but its days are also done since the collision attacks discovery back in 2017.
SHA2 and SHA3 otherwise are still strong options for data integrity and other security features that revolves around it. But yes, you shouldn't use them for password "encryption" when we have better options as bcrypt.
Disagree. Not misleading whatsoever....
Don't roll your own authentication systems, they are not safe. Use battle tested / third party services like Auth0 or OAuth.
SaaS don't work in all cases. I have had to do my own when I was working on a full offline platform, and understanding how such encryption work helps alot when implementing authentication plus it wouldn't hurt to learn how things work.
Agree with you, but it is know that rolling your authentication system can lead to security issues. Yes, learning new things like BCrypt is good as well. 👍
Wrong
BCrypt has been out there since 1999 and now days computers are much faster to figure out problems than ever. As you can see it is better to let experts resolve this adaptation issue for you.
Just imagine someone hacked your BCrypt setup? How are you going to solve the issue? Imagine how it will be to migrate to a modern encryption like Argon2 or Argon2id?
The answer: Delegate, delegate, delegate.
Have you read the original white paper on BCrypt from 1999? It sounds like you haven't, and possibly haven't even read my post fully, because Auth0 uses bcrypt. The entire purpose, foundation, and legacy of the algorithm is based on exactly what you are saying - that adjusting the cost factor has an almost perfectly adaptable relationship with advancements in computing speed. BCrypt vs. Argon2 is an interesting question, but is entirely separate from whether or not to use third party auth. My post is about the algorithm itself, not necessarily about who is using it.
also note that everytime bcrypt (the ruby gem) would give you a different output for the same password. This is because "bcrypt-ruby automatically handles the storage and generation of these salts for you."
source: github.com/codahale/bcrypt-ruby
This would prevent rainbow table attacks.
I actually quoted and cited the ruby gem readme in this post. I covered the definition of a salt, and actually bcrypt handling the generation/storage does not change the fact that a salt will always yield a unique result. The important fact here is that it only gives two different hashes because you aren't saving either instance of password creation. Once a password is created and saved, it will always have the same hash:
The question of rainbow table attacks also misses the point - for longer explanation please read this article that I also linked by the gem creator: codahale.com/how-to-safely-store-a...
Note that bcrypt does not always start with
$2a. The2is the identifier for bcrypt. After that comes a revision. Nobody uses the original, as it had some serious flaws.There is some weird 2x/2y thing which isn't widely adopted. (Mostly in PHP I think.)
In 2014 another issue was found and thus 2b now exists.
See also en.wikipedia.org/wiki/Bcrypt#Versi...
Mansplain much?
Thanks for sharing you delicate "fishsoup".
... and as so often in real life:You should learn to be aware in which situation you use which specific tool.
(and keep in mind that nearly no human invention will lack some points for further improvement. ;))
Ew
I don't think
hash(salt + password)is whatbcryptdoes. Salts are not hashed, they are kept in plaintext.Read this: stackoverflow.com/a/6832628/9868445
I have started learning Ruby a few weeks ago, so I will definitely bear this algorith in mind when I build my first application. Great tutorial!