Bcrypt Hash Explainer - Understand Bcrypt

BCrypt Hash Input

Samples:

Full Hash Anatomy

Version	Algorithm	UTF-8 Safe	Status	Notes
$2$	Original bcrypt	No	Legacy	Original Niels Provos / David Mazières (1999)
$2a$	bcrypt v2a	Partial	Common	Attempted UTF-8 fix; has 8-bit char handling bug on some C implementations
$2x$	bcrypt v2x	No	Broken	Marks hashes produced by the buggy crypt_blowfish <1.0.4 implementation
$2y$	bcrypt v2y	Yes	Good	PHP's crypt() fix — explicitly correct UTF-8 handling
$2b$	bcrypt v2b	Yes	Recommended	OpenBSD canonical — recommended for all new implementations

How BCrypt Works — Step by Step

Password Preprocessing

The password is null-terminated and truncated to 72 bytes (a hard BCrypt limitation). This means passwords longer than 72 bytes hash identically — a known gotcha. The password is encoded as UTF-8 before processing.

password_bytes = utf8_encode(password)[0:72] + '\0'

Generate Random Salt

128 bits (16 bytes) of cryptographically random data are generated. This ensures that two identical passwords always produce different hashes, defeating rainbow table attacks. The salt is encoded in BCrypt's custom Base64 alphabet (22 characters).

salt = crypto_random_bytes(16) // 128 bits salt_b64 = bcrypt_base64_encode(salt) // 22 chars

EksBlowfishSetup — Key Schedule

BCrypt uses the Blowfish cipher's key schedule with an "Expensive Key Setup" (Eks) extension. The initial P-array and S-boxes are seeded with the digits of π (pi), then mixed with the password and salt through 2 ^cost iterations. This is the computationally expensive step.

state = InitState() // π-seeded P-array + S-boxes state = EksBlowfishSetup(state, cost, salt, password) // Internally: 2^cost rounds of: // ExpandKey(state, salt) // ExpandKey(state, password)

Encrypt the Magic String

The ASCII string


          "OrpheanBeholderScryDoubt"

(192 bits, 3 × 64-bit Blowfish blocks) is encrypted 64 times using the derived Blowfish key state. This produces the 24-byte raw digest.

ctext = "OrpheanBeholderScryDoubt" // 24 bytes for i in range(64): ctext = blowfish_ecb_encrypt(state, ctext) // Result: 24 bytes = 192 bits

Encode Output

The first 23 bytes of the 24-byte result are encoded in BCrypt's custom Base64 (31 characters). The last byte is discarded. The final hash is assembled from: version prefix + cost + encoded salt (22 chars) + encoded digest (31 chars) = 60 chars total.

digest_b64 = bcrypt_base64_encode(ctext[0:23]) // 31 chars hash = "$2b$" + zero_pad(cost, 2) + "$" + salt_b64 + digest_b64 // Total: 60 characters

Verification

To verify a password, extract the salt from the stored hash, re-run the entire process with the candidate password and same salt, then compare the output to the stored hash using constant-time comparison to prevent timing attacks.

// ✅ Correct approach (constant-time): hash_verify = bcrypt(candidate_password, stored_salt, stored_cost) return constant_time_compare(hash_verify, stored_hash) // ❌ NEVER use string equality — timing attack risk: // return hash_verify === stored_hash

Blowfish Internals

P-Array (18 × 32-bit subkeys)

The Blowfish P-array consists of 18 32-bit subkeys (P1–P18) initialized from the hexadecimal digits of π. During key setup, they are XOR'd with the password bytes (cycling). Each iteration of EksBlowfish re-runs this mixing.

S-Boxes (4 × 256 × 32-bit entries)

Four substitution boxes each contain 256 32-bit entries, also seeded from π. The Blowfish F-function uses all four S-boxes in a single round: F(x) = ((S₁[a] + S₂[b]) XOR S₃[c]) + S₄[d]. This makes BCrypt memory-hard — 4KB of S-box data must be accessed per round.

Password Hashing Algorithm Comparison

Algorithm	Memory Hard	GPU Resistant	Salt Built-in	Tunable Cost	Max Password	Output Size	Use Today
BCrypt 🔐	Partial (4KB)	Yes	Yes (128 bit)	Cost 4–31	72 bytes ⚠	60 chars	✅ Yes
Argon2id ⭐	Yes (configurable)	Yes	Yes	m, t, p params	Unlimited	Configurable	✅ Recommended
scrypt	Yes (N, r, p)	Yes	Yes	N, r, p	Unlimited	Configurable	✅ Yes
PBKDF2	No	No (GPU-fast)	Yes	Iterations	Unlimited	Configurable	⚠ FIPS required
MD5crypt	No	No	Yes	Fixed (1000)	Unlimited	34 chars	❌ Avoid
SHA-256 (plain)	No	No (billions/sec)	No (manual)	No	Unlimited	64 hex chars	❌ Never for passwords
MD5 (plain)	No	No (50B+/sec)	No	No	Unlimited	32 hex chars	❌ Broken

Recommendation (2026): Use Argon2id for new projects (winner of PHC). Use BCrypt (cost ≥12) for systems where Argon2 is unavailable. Avoid PBKDF2 unless FIPS compliance is required. Never use plain SHA/MD5 for passwords.

BCrypt Quick Reference

Hash Format

A BCrypt hash is always exactly 60 characters : 4-char prefix ( $2b$ ), 2-digit cost, $ separator, 22-char Base64 salt, 31-char Base64 digest. No separators between salt and digest — the split is positional at character 29 from the cost $ .

72-Byte Limit

BCrypt silently truncates passwords to 72 bytes. "password123456…" (73+ chars) hashes identically to the first 72 chars. Mitigation: pre-hash with SHA-256/512 before BCrypt, or use Argon2/scrypt. Some libraries (like bcryptjs) warn about this.

BCrypt Base64

BCrypt uses a custom Base64 alphabet: ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 — not the standard RFC 4648 alphabet. The output is not decodable with standard atob() or standard Base64 libraries without remapping.

Why Not SHA-256?

SHA-256 runs at billions of hashes per second on modern GPUs (A100: ~100 GH/s). A BCrypt cost 12 hash takes ~250ms — roughly 25 billion times slower. An attacker cracking SHA-256 in 1 second would need 25 billion seconds (>790 years) with BCrypt cost 12.