What is bcrypt?

bcrypt was designed in 1999 by Niels Provos and David Mazieres specifically for password hashing, at a time when most systems used fast hash functions like MD5 or SHA-1. Its key innovation was the cost factor — a parameter that controls how many iterations of the underlying Blowfish key setup are performed. Each increment of the cost factor doubles the computation time, allowing defenders to scale the difficulty as hardware gets faster.

What distinguishes bcrypt from PBKDF2 is its resistance to GPU acceleration. PBKDF2 uses HMAC operations that map well to GPU architectures, allowing attackers with consumer GPUs to achieve massive parallelism. bcrypt's Blowfish-based key schedule requires frequent access to a 4KB state table that must be modified during computation. This memory access pattern does not parallelize efficiently on GPUs, forcing attackers back to CPU-speed attacks.

bcrypt produces a 60-character string that encodes the algorithm version, cost factor, salt, and hash together — making it self-contained and portable. A typical bcrypt hash looks like $2b$12$... where 12 is the cost factor. The current recommended minimum cost factor is 10 (approximately 100ms per hash on modern hardware), though 12-14 is common for applications that can tolerate slightly slower login times. bcrypt is available in virtually every programming language and remains one of the most widely deployed password hashing algorithms.

How Vaulted uses bcrypt

Vaulted uses PBKDF2 rather than bcrypt for passphrase-based key derivation because PBKDF2 is natively available through the Web Crypto API in browsers, while bcrypt is not. The Web Crypto API does not expose bcrypt, so using it would require a JavaScript implementation that sacrifices the security benefits of native, constant-time execution. For server-side applications that hash passwords for authentication, bcrypt remains an excellent choice — but for client-side key derivation in the browser, PBKDF2 via Web Crypto is the standard approach.