(05-26-2015, 01:09 PM)Yagmi Wrote: Why not just use MD5.salt?
Because it calcuates fast as fuck compared to Bcrypt, modern systems can check 330MB of MD5 hashes every second.
Meanwhile our boss Bcrypt fat as fuck, slow as fuck.
Let's look at the two methods and how fast they generate hashes.
MD5 ~ 0.008s
BCrypt ~ 0.012s // That's 1.5 times slower than MD5, which is good.
This was calcuated with work factor of 9 which can be edited based on your server performance, so it can be even slower if you so decided to do so.
Why is slow good you might ask?
It means that when the cracker who obtained the hashes wants to crack your passwords.
They are basically going to try to recreate the hash with as many different inputs/passwords as possible (either brute force/mask or a dictionary attack).
I almost thought this post wasÂ against Bcrypt until I realized that it was a defense.