image de chargement
Back to glossary

bcrypt

Adaptive cryptographic hash function designed to secure password storage with built-in protection against brute-force attacks.

Updated on January 13, 2026

bcrypt is a cryptographic hash function specifically designed for secure password storage. Based on the Blowfish cipher algorithm, it incorporates automatic salt generation and a configurable cost factor that intentionally slows down the hashing process to counter brute-force attacks. Developed in 1999 by Niels Provos and David Mazières, bcrypt remains one of the most recommended solutions for protecting user credentials.

Technical Fundamentals

  • Blowfish-based algorithm with automatic generation of a 128-bit random salt for each password
  • Configurable work factor enabling progressive increase of computational complexity as hardware evolves
  • Adaptive architecture making hashing intentionally slow (50ms to 1s depending on cost factor) to slow down attacks
  • Standardized output format encoding salt, cost factor, and hash in a single string facilitating verification

Security Benefits

  • Native protection against rainbow table attacks through unique per-password salting
  • Resistance to brute-force attacks via configurable computational slowdown
  • Security level scalability without code modification by simply adjusting the work factor
  • No imposed password length limitations unlike certain algorithms
  • Mature and audited implementations available in most programming languages
  • Compliance with modern security standards (OWASP, NIST) for password management

Practical Implementation Example

auth-service.ts
import bcrypt from 'bcrypt';

// Configure cost factor (10-12 recommended)
const SALT_ROUNDS = 12;

// Hash password during registration
async function hashPassword(plainPassword: string): Promise<string> {
  try {
    const hashedPassword = await bcrypt.hash(plainPassword, SALT_ROUNDS);
    // Result: $2b$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
    return hashedPassword;
  } catch (error) {
    throw new Error('Password hashing error');
  }
}

// Verify during login
async function verifyPassword(
  plainPassword: string,
  hashedPassword: string
): Promise<boolean> {
  try {
    const isMatch = await bcrypt.compare(plainPassword, hashedPassword);
    return isMatch;
  } catch (error) {
    throw new Error('Password verification error');
  }
}

// Usage example
async function authenticateUser(email: string, password: string) {
  // Retrieve hash from database
  const user = await getUserByEmail(email);
  
  if (!user) {
    return { success: false, message: 'User not found' };
  }
  
  const isValidPassword = await verifyPassword(password, user.passwordHash);
  
  if (isValidPassword) {
    return { success: true, userId: user.id };
  } else {
    return { success: false, message: 'Invalid password' };
  }
}

Implementation Best Practices

  1. Choose an appropriate cost factor (12-14 for 2024) by testing performance on your target infrastructure
  2. Install native bcrypt library (avoid pure JavaScript implementations which are less performant)
  3. Never store passwords in plain text, even temporarily in memory or logs
  4. Implement verification asynchronously to avoid blocking the main thread
  5. Provide automatic rehashing mechanism when the cost factor is increased
  6. Combine bcrypt with other security measures (rate limiting, multi-factor authentication)
  7. Monitor response times to detect potential denial-of-service attacks targeting hashing

Professional Tip

Test bcrypt execution time on your infrastructure before choosing the work factor. Aim for hashing time between 250ms and 500ms: slow enough to deter attackers but fast enough not to degrade user experience. Use the built-in benchmark tool: `bcrypt.getRounds(hash)` to verify the cost factor of an existing hash, and increase it progressively during user password changes.

Tools and Ecosystem

  • bcrypt (Node.js) - Most popular native implementation with C++ bindings
  • bcrypt-ruby - Version for Ruby on Rails applications with ActiveModel support
  • Spring Security BCrypt - Native integration in the Spring Java ecosystem
  • passlib (Python) - Comprehensive library including bcrypt and other algorithms
  • password_hash (PHP) - Native PHP function using bcrypt by default since PHP 5.5
  • OWASP Password Storage Cheat Sheet - Reference guide for best practices

Adopting bcrypt represents a strategic investment in your application security. By effectively protecting user credentials, you significantly reduce data breach risks, preserve customer trust, and ensure compliance with data protection regulations (GDPR, CCPA). Its ability to adapt to hardware evolution guarantees long-term protection without major architectural overhaul.

Related terms

Themoneyisalreadyonthetable.

In 1 hour, discover exactly how much you're losing and how to recover it.

Agence de développement web, automatisation & IA

contact@peaklab.fr
Follow us

© PeakLab 2025

Mentions légalesPolitique de confidentialitéPlan du site