Bcrypt

  Increasing computational power makes the use of cryptography to further system security more feasible and allows for more tuneable security parameters such as public key length. However, one security parameter - the length and entropy of user-chosen passwords - does not scale at all with computing power. Many systems still require user-chosen secret passwords which are hashed to keep them secret. When the UNIX password hash crypt(3) was introduced in 1976, it could not hash more than four passwords per second. With increasingly more powerful attackers it is common to compute more than 200,000 password hashes per second. In OpenBSD we use the bcrypt algorithm to make the cost of password hashing parameterizable. Its design makes it hard to optimize bcrypt's execution speed or use commodity hardware instead of software. bcrypt uses a 128-bit salt and encrypts a 192-bit magic value. It takes advantage of the fact that the Blowfish algorithm (used in the core of bcrypt for password hashing) needs a fairly expensive key setup, thus considerably slowing down dictionary-based attacks. bcrypt uses the arc4random(3) interface for password salt-generation. A comparison between this approach and the mechanism used in certain other Unix systems for generating salts has shown that while arc4random(3) behaved extremely close to the statistical theoretical expectations; in contrast, other systems produced large numbers of collisions, making dictionary attacks faster.

A special configuration file, passwd.conf(5), is used to determine which type of password scheme is used for a given user or group. It is possible to use different password schemes for local or YP passwords. For bcrypt, the number of rounds is also included. This facilitates adapting the password verification time to increasing processor speed. Currently, the default number of rounds for a normal user is 2⁶, and 2⁸ for ``root.'' bcrypt is used in OpenBSD as the default password scheme since version 2.1. For more details, see [33].