Published on

How to Hash Passwords using bcrypt in Linux

Authors

What is bcrypt?

bcrypt is a hashing function based on the Blowfish cipher, and was designed by Niels Provos and David Mazières. bcrypt was designed with features that can protect against rainbow table attacks, as well as brute-force seach attacks. What makes the bcrypt function useful for password hashing, is that it is also adaptable to the increasing speed and computational power of modern processors and hardware.

bcrypt is based on the Blowfish cipher, which has computationally expensive processing when changing keys, which makes encrypting and decrypting slower, protecting against brute-force attacks. However, bcrypt takes this a set further and introduces a configuration iteration parameter, which controls the number of rounds the Blowfish keying algorithm (including usage of a salt) is applied to the hash. Increasing the number of iterations slows down the algorithm, which further slows down brute-force attacks on modern hardware. This is advantageous as modern hardware can now search tens of thousands, even millions, of passwords a second. With technology advancing every day, being able to adapt bcrypt to match makes it flexible.

How to hash passwords with bcrypt from the command line?

Using the htpasswd CLI program, you can use bcrypt to hash a password using the following command:

htpasswd -nbBC 10 USER PASSWORD
htpasswd -nbB USER PASSWORD

The parameters passed to htpasswd have the following functions:

-n prints the hash to stdout instead of writing it to a file.

-b takes the password from the second command argument.

-B instructs to use bcrypt.

-C 10 sets the bcrypt cost, or the iteration count, to 10.

This command returns the hash in the form: {user}:{hash}

You can find more information about how to install htpasswd here, as well as on Apache’s official documentation.