Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 281

Vol.3, Issue.1

Password Security using BCrypt

Sreehari C A Nimmy Francis
Department of computer application Department of computer application
Amal Jyothi College Of Engineering Amal Jyothi College Of Engineering
Kanjirapally, Kottayam Kanjirapally, Kottayam
sreeharica@mca.ajce.in nimmyfrancis@amaljyothi.ac.in

Abstract—Passwords are still the most prevalent means of user specify. You can delay the process down as much as you
identification for many internet services, and assaults on want, which was a unique feature of bcrypt [4].
password databases constitute a serious concern. Servers
maintain password hashes produced using special password 1.1 BCrypt alternatives
hashing techniques to slow down guessing attempts and so lessen
the risk. Bcrypt is a password hashing algorithm that converts Password hashing function is not limited to Bcrypt. Look at
variable-length input into fixed-length output. It's known as other solutions and competing choices. When comparing
hashing. The bcrypt algorithm is used to hash the input. Bcrypt alternatives, keep features and functioning in mind.
PBKDF2, bcrypt, and scrypt are the most commonly used Some of the Bcrypt alternatives are listed below:
functions of this type. In today's environment, we rely on Internet
services on a regular basis. 1. MD5: The MD5 hashing method is a one-way
Keywords—bcrypt algorithm, sal, hash cryptographic function that takes any length message as input
and produces a fixed-length digest value that can be used to
I. INTRODUCTION verify the original message. [5].
Bcrypt is a password-hashing function developed by Niels 2. SHA1: The Secure Hash Algorithm 1 (SHA-1) is a
Provos and David Mazières and first presented at USENIX cryptographic computer security algorithm.
in 1999. b for Blowfish and crypt for the name of the
hashing function used by the UNIX password system. [1]. II. LITERATURE SURVEY
We can use the bcrypt hashing function to create a password
P. Sriamya and R. A. Karthika in “Providing password security
security platform that scales with computing power and
by salted password hashing using BCrypt algorithm” focuses
always hashes each password with a salt. Bcrypt has the
on providing security to user’s data by using Salted Password
advantage of requiring a salt by default.
Hashing Technique. Also, they discussed how to prevent
If a password is stored in plain text or is compromised by a several password attacks [2].
simple encryption method, the password can be decrypted
In “A comparison od password protection method for web-
and stolen. It could lead to a forged login and a breach of
based platforms implemented with PHP and MYSQL” by
privacy [2]. BCrypt may adjust the cost of hashing by
Nedyalko Katrandzhiev, Daniel Hristozov and Borislav
utilising a Key Factor. The hash output can be changed by
Milenkov explains the need of using security methods to
changing Key Factors. As a result, BCrypt is impervious to
protect your sensitive data. Here they compare MD5, SHA1,
hackers, particularly the rainbow table method of password
BCrypt and Argon2. From this we understood that BCrypt is
cracking. If you have sensitive data or information that
better compared to MD5 and SHA1 [6].
needs to be protected, it's critical that you secure it properly.
As we've seen, there are a variety of password approaches In “Password security using BCrypt with AES encryption
for securing this information, but only BCrypt provides a Algorith” by Narander Kumar and Priyanka Chaudhary tells
genuinely strong solution [3]. about technique utilizing BCrypt technique with AES
encryption for users account protection [7].
All an attacker needs to do if they get their hands on my
user's password digest is run the hash function against a Niels Provos and David Mazeries in “A FutureAdaptable
large number of probable passwords. The time it takes to Password Scheme” suggest methods for designing systems
run that code millions of times is the only thing standing that keep password security up to date with hardware speeds.
between the attacker and my original password. By They conclude that Bcrypt, a hash function, can be used to
imposing a cost factor on the hash, also known as salt replace the UNIX password hashing algorithm or as a front-
rounds, we may effectively slow down the attacker. The end to secure password protocols such as SRP [8].
internal hashing procedure will be repeated as many times
as the cost factor specifies. The hashing process slows down We may conclude from all of the aforementioned papers that
by a factor of two for every additional cost component. Bcrypt is one of the best data protection methods. By raising
Even if the attacker obtains our password digest, the hash the amount of rounds of bcrypt, we can reduce any advantages
function will run as slowly as the number of salt rounds we attackers would gain from faster hardware.

DOI: 10.5281/zenodo.5094166
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam
Proceedings of the National Conference on Emerging Computer Applications (NCECA)-2021 282
Vol.3, Issue.1

III. METHODOLOGY Bcrypt.hash(password,salt,function(err,hash)

Hashing a password {
Taking a plain text password and running it through a hash //return hash
algorithm is known as "hashing." The hash algorithm accepts
any length string and returns a fixed length string. Every time Console.log(hash);
you password into the hash algorithm, the returned hash is the });
same [9].
}); [9]
Salting a password
IV. CONCLUSION
The hash algorithm's result is no longer predictable after
hashing a plain text password with a salt. The hash generated For salting and hashing passwords, Bcrypt is a common and
by the same password will no longer be the same. The salt is trusted approach. You have shown how to use bcrypt's NodeJS
included in the hash by default. [9]. library to salt and hash a password before saving it in a
database. Password protection is one of the essential part of
How to salt & hash a password using BCrypt security. Hashing is a technique that is commonly used to
Step 1: Install BCrypt library convert plain text passwords into a set of characters that cannot
be decoded. In this paper we discussed about BCrypt which
$npm i bcrypt can be used to avoid these kind of security issues and provide
more secure access.
• Step 2: Include bycrypt modules Const
bcrypt=required(‘bcrypt’); V. FUTURE WORKS

• Step 3: set a value for saltRounds. Here we set values In future this can be used in many social websites in order to
for saltRounds. Higher the saltRounds value, the more provide secure access to their users. This BCrypt makes any
time the hashing algorithm takes. kind of data secure.

Const saltRounds=12; VI. REFERENCE

• Step 4: Declare a password variable var [1] https://en.wikipedia.org/wiki/Bcrypt

password=”Kasd^42t@jwe”;
[2] P. Sriramya, R.A. Karthika, Department of Computer
• Step 5: generate a salt Science and Engineering, Saveetha School of Engineering,
Saveetha University, Chennai, India, providing password
You can salt and hash the password in one function or by security by salted password hashing using bcrypt algorithm,
using separate function. Here in genSalt fn, we pass
bcrypt.getSalt() these parameters: 2015
[3] https://danboterhoven.medium.com/why-youshould-
1. saltRounds
use-bcrypt-to-hash-passwordsaf330100b861
2. callback of error and returned salt:
[4] https://all-about-bcrypt.glitch.me/
bcrypt.genSalt(saltRounds,function(err,salt)
[5] https://searchsecurity.techtarget.com/definition/M
{
[6] Nedyalko Katrandzhiev, Daniel Hristozov and
//returns salt Borislav Milenkov, University of Food Technologies, Plovdiv,
Computer Systems and Technologies, a comparison old
} password protection method for web-based platforms
implemented with PHP and MYSQL, 2019
• step 6: Hash the password we pass bcrypt.hash() these
parameters: [7] Narander Kumar and Priyanka Chaudhary ,Password
security using BCrypt with AES encryption Algorithm, 2017
1. password
[8] Niels Provos and David Mazeries , Monterey,
2. salt California, USA, A Future-Adaptable Password Scheme ,
1999
3. callback of error and the returned hash
bcrypt.gensalt(saltRounds(err,salt) [9] https://heynode.com/blog/2020-04/salt-and-
hashpasswords-bcrypt
{

DOI: 10.5281/zenodo.5094166
ISBN:978-93-5426-386-6@2021 MCA, Amal Jyothi College of Engineering Kanjirappally, Kottayam