We have moved all our applications from SHA256 to BCRYPT for password storage. We will continue using sha2 for other non-stored hashing functionality in our applications.
Why you may ask:
Short Answer : Sha2 is designed to be fast hence bad for passwords, and BCRYPT is built to be slow hence great for passwords.
SHA 2 (Secure Hash Algorithm 2) are a set of cryptographic hash functions version 2 developed and released in 2001 by the United States National Security Agency (NSA). This set includes 224, 256, 384 and 512. The hashing structure is made to be fast and it's optimized to run faster in GPU this makes it great for a small server but bad for passwords.
BCRYPT is a password hashing function based on blowfish cipher developed by Dr. Niels Provos, PHD a German security engineering, cryptography and malware researcher for OpenBSD in 2002. The hashing structure is made to be slow and can be slowed with more iterations to remain resistant.
The reason we are moving.
The main reason we hash passwords stored is to make it harder for attackers to get plain text user passwords even with access to the database. With this in mind, we decided on the following,
- Sha2 (Sha256 to be specific) is made to be faster and hence great for anyone trying to brute force, this is made worse by being optimized to run in GPU which makes it easier to run a brute force attack. For passwords this is specifically bad since they are stored for running functions where they change regularly is this a great feature?
- Without salt the hash output is the same, this is bad because most users use common passwords that why dictionary attacks are a thing.
- Bcrypt is a tried-and-true password hashing tool. It has been around for 17 years, and it still gets the job done.
We know cryptography, is a rapidly evolving field and staying updated with the latest vulnerabilities and advancements is key to maintaining robust and effective security mechanisms. We Keep exploring, staying curious, and always prioritize your security needs.
