{ "slug": "bcrypt", "term": "bcrypt", "category": "security", "difficulty": "intermediate", "short": "A deliberately slow password hashing algorithm designed to resist brute-force attacks by tunable computational cost.", "long": "bcrypt incorporates a cost factor (work factor) that determines how many iterations the algorithm runs. Increasing the cost doubles the computation time per hash — making brute-force attacks proportionally harder as hardware improves. A cost of 12 is a reasonable 2026 default. bcrypt also salts automatically, so two hashes of the same password are always different. In PHP, use password_hash($pass, PASSWORD_BCRYPT, ['cost' => 12]) and password_verify() to check.", "aliases": [ "blowfish password hash", "bcrypt hashing" ], "tags": [ "cryptography", "passwords", "authentication" ], "misconception": "Bcrypt is always the best password hashing choice. Bcrypt silently truncates passwords at 72 bytes — two passwords differing only after character 72 hash identically. Argon2id is the modern recommendation.", "why_it_matters": "Bcrypt is purpose-built for passwords — it is intentionally slow and includes a salt by design, making rainbow tables and brute-force attacks computationally expensive. MD5 and SHA hashes are designed to be fast, which makes them catastrophically wrong for passwords.", "common_mistakes": [ "Using MD5, SHA-1, or SHA-256 for passwords — these are fast hashes, not password hashing algorithms.", "Setting the cost factor too low (below 10) — higher cost dramatically increases brute-force time.", "Storing bcrypt hashes in columns shorter than 60 characters — the full hash will be truncated.", "Hashing passwords before bcrypt (e.g. md5($pass)) — pre-hashing can reduce the effective input space." ], "when_to_use": [], "avoid_when": [], "related": [ "password_hash", "argon2", "weak_cryptography" ], "prerequisites": [ "password_hash", "argon2", "cryptography" ], "refs": [ "https://www.php.net/manual/en/function.password-hash.php", "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html" ], "bad_code": "// NEVER hash passwords with md5, sha1, sha256 — they're fast (crackable)\n$hash = md5($password);\n$hash = sha256($password);\n$hash = sha256($salt . $password);", "good_code": "// PHP built-in — uses bcrypt by default (cost=10), upgradeable\n$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);\n\n// Verify (timing-safe)\nif (password_verify($input, $hash)) { /* authenticated */ }\n\n// Check if rehash needed (after cost increase)\nif (password_needs_rehash($hash, PASSWORD_BCRYPT, ['cost' => 12])) {\n $hash = password_hash($input, PASSWORD_BCRYPT, ['cost' => 12]);\n // save new hash\n}", "quick_fix": "Use password_hash($pass, PASSWORD_BCRYPT) to hash, password_verify($input, $hash) to check — never md5/sha1", "severity": "high", "effort": "low", "created": "2026-03-13", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/bcrypt", "html_url": "https://codeclaritylab.com/glossary/bcrypt", "json_url": "https://codeclaritylab.com/glossary/bcrypt.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[bcrypt](https://codeclaritylab.com/glossary/bcrypt) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/bcrypt" } } } }