The co-creator of the widely used password hashing algorithm “bcrypt” is reflecting on its 25-year history and finding inspiration in the core themes of cybersecurity to create electronic dance music.
During the early 2010s, as data breaches became a persistent threat, the choice of password hashing algorithm used by victim organizations became a crucial concern. If a weak algorithm like SHA-1 was used, the risk of password cracking and unauthorized account access increased. However, if bcrypt was employed, it provided a more secure safeguard.
As bcrypt reaches its 25th anniversary, Niels Provos, one of its co-inventors, acknowledges the algorithm’s positive impact, attributed to its open-source availability and technical characteristics that have sustained its longevity. In an interview with WIRED, Provos discusses his recently published retrospective on bcrypt in Usenix ;login:. Nevertheless, newer and more robust alternatives like scrypt and Argon2 now exist, prompting Provos to believe that bcrypt should gradually lose popularity rather than celebrate another major milestone.
The initial version of bcrypt was introduced in June 1997 with OpenBSD 2.1, an open-source operating system. Despite strict cryptography export limitations imposed by the United States at the time, Provos, who hails from Germany, contributed to its development while residing and studying in Germany.
Provos collaborated with David Mazieres, a systems security professor at Stanford University, who was studying at MIT when they worked together on bcrypt. The two met through the open-source community while working on OpenBSD.
In the context of login security, hashed passwords undergo cryptographic transformations to convert them from readable text into unintelligible data. These transformations, known as one-way functions, are easy to execute but extremely challenging to reverse-engineer or crack. Bcrypt introduced a crucial security parameter that could be adjusted over time to increase the computational power required to crack the hashes. This adaptability ensured that as processing speeds improved, bcrypt hashes became increasingly difficult to crack.
Mazieres emphasizes the importance of having a security parameter tied to computing resources for any password hashing algorithm. The next generation of hash functions not only relies on processing power but also requires significant memory resources to resist parallel attacks.
Despite advancements in technology, password security has stagnated over the years, much to the disappointment of Provos and Mazieres. They express surprise that passwords still play such a prominent role, even after 25 years. Provos has ventured into creating electronic dance music under the DJ name Activ8te, using it as a platform to spread awareness about security and drive cultural change in how individuals approach personal security. Mazieres adds that the tech industry has done a disservice by training users to authenticate in risky ways, such as frequently clicking on links and entering passwords without caution.
While bcrypt’s prominence may be diminishing, its creators believe that efforts to enhance digital authentication and overall security, as well as empowering individuals to strengthen their own digital defenses, are still worthwhile.
Provos remarks, “Bcrypt should have been superseded already. It’s surprising how much reliance we still have on passwords. If you had asked me 25 years ago, I would not have guessed that.” Despite his musical pursuits and potential blacksmithing endeavors, Provos feels compelled to contribute to the field of security due to his dissatisfaction with its current state.