The most secure password hashing algorithms

Engineering

Password hashing algorithms can make or break a database leak. While every endeavour should be made to protect a site database, unfortunately sometimes this has proven unsuccessful for even the largest of sites.

So what can we do to mitigate such circumstances? Well first and foremost, enforcing a strong-password policy should be a common practice in all system designs.

The number of systems that allow simple passwords such as “password” or “password123” in 2018 is mind-blowing.

Every system designed to allow user-input passwords should be enforcing a mixture of lower and upper alphanumeric characters, and special characters.

While the algorithms presented below are all very good at withstanding brute-force and dictionary attacks, all of that is thrown out the window with simple passwords that most password crackers will try first.

Once a secure password policy has been enforced, the hashing algorithm is the second piece of the puzzle to mitigate password leaks.

Combined with a secure-policy, the slower the hashing algorithm, the longer it will take to “break” a password.

Here is a list of the three recommended, secure password hashing algorithms designed to withstand even the most powerful of systems today.

Bcrypt

Bcrypt was designed based on the Blowfish cipher and originally presented at USENIX in 1999.

Bcrypt is recognisable by one of three password-hash prefixes:

  • $2a$ – The original specification used this prefix.
  • $2x$, $2y$ – June 2011, after a bug was discovered in crypt_blowfish (the PHP implementation of Blowfish) mishandling 8th-bit characters.
  • $2b$ – February 2014, after a bug was discovered in the OpenBSD implementation when passwords exceeded 255 characters

Pros

Bcrypt has been heavily scrutinized over the years, especially being designed for OpenBSD where they have a heavy emphasis on security and code auditing.

Being a few decades old now, Bcrypt has had a lot of attention and eyes over the years and although the implementations have experienced a few bugs, the actual hashing algorithm remains solid.

Cons

Because Bcrypt was created before the uptake of high-powered GPU hashing machines, it can be suspectable to brute-force and dictionary-based attacks.

This isn’t to say the algorithm itself has a security flaw, but rather technology eventually caught up to a pace where it was able to attempt thousands of guesses per second.

This, however, can be mitigated by following best practices when designing passwords, which unfortunately most users don’t follow.

At the Password^12 conference in Norway, Jeremi Gosney demonstrated a 25-GPU rig that could hash 71,000 attempts per second on a Bcrypt password.

Given an 8-character password using a combination of alpha-numeric and special characters has 645,753,531,245,761 ((10+26+26+19)^8) possible combinations, even such a rig would take approximately 288 years to try every possible password.

Scrypt

Scrypt was first established in 2009 and introduced by the IETF as RFC7914 in 2016. It is used in many cryptocurrencies as proof of work and served as the basis for Litecoin, Dodgecoin and Bitcoin-sCrypt.

Scrypt is identifiable by the $scrypt$ password-hash prefix.

Pros

Scrypt builds upon Bcrypt where Bcrypt is computationally expensive, Scrypt is also memory intensive.

This means that more resources are required when using brute-force and dictionary attacks against the hashing algorithm.

Cons

Scrypt isn’t as old as Bcrypt and has yet to face the same amount of time and scrutiny which means it is possible that it has flaws. However, this is yet to be determined.

Argon2

Argon2 is the newest of password hashing algorithms, having won the PHC (Password Hashing Competition) in 2015.

It aims to maximize resistance to GPU and ASIC-cracking attempts by making itself very memory intensive.

There are three versions of Argon2, however, Argon2i is recommended for password hashing.

Argon2 is identifiable by the following password-hash prefixes:

$argon2d$ – Argon2d $argon2i$ – Argon2i

Pros

Argon2i aims to be very resistant to GPU and ASIC attack vectors, which are the fastest methods of attacking password hashes with brute-force and dictionary attacks today.

Cons

Argon2 is a very young hashing algorithm and as such has experienced little scrutiny thus far.

It has also experienced two attacks on Argon2i, thus far. While Argon2i 1.3 claims to have fixed the attack vectors, only time will tell if there are more attacks found.

Although Bcrypt is the “fastest” password hashing method to attack with brute-force and dictionary attacks, it has held up well to the scrutiny over the years.

Keep in mind that a hashing algorithm is only as secure as the password policy behind it. If history has taught us one thing, if we allow people to use the easiest passwords possible, they will.

If you want to know more about how to implement a secure password hashing algorithm, check out our tutorial on how to encrypt passwords in PHP/Node.JS/Python.