javasecuritybcryptpbkdf2jbcrypt

BCrypt vs PBKDF2WithHmacSHA1

In order to hash passwords securely, which algorithm should I use? BCrypt or PBKDF2WithHmacSHA1?

Which is more secure? PBKDF2WithHmacSHA1 is built into Java while BCrypt is available via jBCrypt library (which has mostly received positive reviews).

Also if I go with BCrypt should I limit my user's password entry to 55 characters only (since that is the limit of BCrypt)?

It would be helpful if you are Java specific.
Do note that I would go for the option that makes the passwords more secure and brute-forcing more difficult.

Solution

  • They are not the same, and they are not equally secure.

    On a CPU, they both use about the same amount of resources, and are about the same at defending the password.

    The issue comes down to GPU based attacks. Due to the architectures of GPUs, bcrypt is actually harder to run than SHA1 (or SHA256). Therefore, it's easier to parallelize PBKDF2 + sha1 than it is bcrypt.

    To put some actual numbers on it, we'll draw from This presentation.

    Sha-1 is about 3x more expensive than md5. So if we look at the slow hashing function slides, we can conclude that md5crypt is about 3x faster than pbkdf2-sha1. That's quite a bit of guesswork, but it's in the margin of what we're looking for.

    So that means, that for an equavilent CPU runtime, we can expect PBKDF2-sha1 to run about 25 Million hashes per second on the GPU cluster. Compare that to BCrypt (with cost 5) which runs at 75 Thousand hashes per second.

    So that implies that PBKDF2+sha1 is about 1000 times weaker than bcrypt at equivalent cost settings.

    Note though that PBDFK2+sha512 is almost as slow as bcrypt. This has to do with SHA-512 using 64 bit operations (which aren't native in today's GPUs).

    So in short, bcrypt is orders of magnitude more secure than PBKDF2+SHA1. It's more secure than PBKDF2+SHA512, but not by as much of a margin.

    And this relies on GPU architecture of today. In the future, if cache sizes and instruction sets change significantly, these differences could wash out. And that's why newer algorithms like scrypt exist.

    So just use bcrypt. And don't worry about the character limit