bcrypt or Argon 2?
We were so priviledged to have the mighty Troy Hunt come along to speak to our students, and he talked about companies moving their hash passwords from MD5 and SHA1 towards improved methods such as bcrypt and Argon 2.
Hopefully, overall, we have passed the point of using MD5 or SHA1 for hashing passwords, as these can be weak. Basically, MD5 and SHA1 are fast hashing methods, and where many possible passwords could be tried at a rapid rate. bcrypt and Argon 2 slow down this process, so that the rate of hashing is significantly reduced. So, which should you use?
bcrypt
MD5 and SHA-1 produce a hash signature, but this can be attacked by rainbow tables. Bcrypt is a more powerful hash generator for passwords and uses salt to create a non-recurrent hash. It was designed by Niels Provos and David Mazières, and is based on the Blowfish cipher. It is used as the default password hashing method for BSD and other systems. Overall it uses a 128-bit salt value, which requires 22 Radix-64 characters. It can use a number of iterations, which will slow down any brute-force cracking of the hashed value.
The slowness of Bcrypt is highlighted with a recent AWS EC2 server benchmark using hashcat [here]:
Hash type: MD5 Speed/sec: 380.02M words
Hash type: SHA1 Speed/sec: 218.86M words
Hash type: SHA256 Speed/sec: 110.37M words
Hash type: bcrypt, Blowfish(OpenBSD) Speed/sec: 25.86k words
Hash type: NTLM. Speed/sec: 370.22M wordsAnd so, we move from 380 million words per second, to just 25,860 words per second.
The work factor is 2^number of rounds, and is often set to 11 by default. set to 11 (which matches the default across most implementation and is currently viewed as a good level of security/risk). The mapping is:
| Cost | Iterations |
|-------|--------------------------|
| 8 | 256 iterations |
| 9 | 512 iterations |
| 10 | 1,024 iterations |
| 11 | 2,048 iterations |
| 12 | 4,096 iterations |
| 13 | 8,192 iterations |
| 14 | 16,384 iterations |
| 15 | 32,768 iterations |
| 16 | 65,536 iterations |
| 17 | 131,072 iterations |
| 18 | 262,144 iterations |
| 19 | 524,288 iterations |
| 20 | 1,048,576 iterations |
| 21 | 2,097,152 iterations |
| 22 | 4,194,304 iterations |
| 23 | 8,388,608 iterations |
| 24 | 16,777,216 iterations |
| 25 | 33,554,432 iterations |
| 26 | 67,108,864 iterations |
| 27 | 134,217,728 iterations |
| 28 | 268,435,456 iterations |
| 29 | 536,870,912 iterations |
| 30 | 1,073,741,824 iterations |
| 31 | 2,147,483,648 iterations |Here is bcrypt: https://asecuritysite.com/bcrypt/
Argon 2
Argon2 is defined in RFC 9106 and is entitled “Memory-Hard Function for Password Hashing and Proof-of-Work Applications”. and is used for password hashing, key derivation and proof-of-work. The main variant is Argon2id which is optimized for x86 architectures. It has two subvariants: Argon2d and Argon2i. Overall, Argon2d provides data-dependent memory access method and is useful for cryptocurrencies and proof-of-work applications. It also does not have any threats for side-channel timing attacks. Alternatively, Argon2i uses data-independent memory access and can be used for password hashing and password-based key derivation (KDF).
The main parameters used in Argon 2 are defined in Figure 1, such as for iterations, memcost and parallelism. A standard form is:
$argon2i$v=19$m=4096,t=2,p=4$salt$rZHPyRIa8XEvQ9rVqpvoibllLagNNGUeCNCmxeZfgBAand where v=19 identifies that we are using Argon 2. The parameters are then defined in “m=4096,t=2,p=4”, and where we have a Memory Cost of 4,096 bytes, a parallelism of 4, and iterations of 2. The salt, in this case, is “salt”, and the derived hash is “rZHPyRIa8XEvQ9rVqpvoibllLagNNGUeCNCmxeZfgBA”. Argon 2 also can output with a defined number of bytes (the digest size).
Here is Argon 2: https://asecuritysite.com/argon2
Conclusions
bcrypt is good, but Argon 2 is better.
