Secure password hashing in R with bcrypt

June 18, 2015

(This article was first published on OpenCPU, and kindly contributed to R-bloggers)

opencpu logo

The new package bcrypt provides an R interface to the OpenBSD ‘blowfish’ password hashing algorithm described in A Future-Adaptable Password Scheme by Niels Provos. The implementation is derived from the py-bcrypt module for Python which is a wrapper for the OpenBSD implementation.

Bcrypt is used for secure password hashing. The main difference with regular digest algorithms such as md5 / sha256 is that the bcrypt algorithm is specifically designed to be cpu intensive in order to protect against brute force attacks. This means that hasing with bcrypt is terribly slow, which is a feature. The complexity of the algorithm is configurable via the log_rounds parameter.

The API from the R package is exactly the same as the one from python: the hashpw function calculates a hash from a password using a random salt. Validating the hash is done by reshashing the password using the hash as a salt.

# Secret message as a string
passwd <- "supersecret"

# Create the hash
hash <- hashpw(passwd)
## [1] "$2a$12$1G8N3Xnp11oHt0RJf7SCMeWib7DpEOgpE5lXwjE2BATHJqFFxci6u"

# To validate the hash
identical(hash, hashpw(passwd, hash))

# Wrapper that does the same
checkpw(passwd, hash)

The gensalt function generates a salt for use with hashpw and specifies the complexity of the algorithm via the log_rounds parameter. The first few characters in the salt string hold the bcrypt version and value for log_rounds. The remainder stores 16 bytes of base64 encoded randomness for seeding the hashing algorithm.

# Use varying complexity:
hash11 <- hashpw(passwd, gensalt(11))
hash12 <- hashpw(passwd, gensalt(12))
hash13 <- hashpw(passwd, gensalt(13))

# Takes longer to verify (or crack)
system.time(checkpw(passwd, hash11))
##   user  system elapsed 
##  0.155   0.000   0.156 
system.time(checkpw(passwd, hash12))
##   user  system elapsed 
##  0.312   0.000   0.312 
system.time(checkpw(passwd, hash13))
##   user  system elapsed 
##  0.640   0.002   0.642

To leave a comment for the author, please follow the link and comment on their blog: OpenCPU. offers daily e-mail updates about R news and tutorials on topics such as: Data science, Big Data, R jobs, visualization (ggplot2, Boxplots, maps, animation), programming (RStudio, Sweave, LaTeX, SQL, Eclipse, git, hadoop, Web Scraping) statistics (regression, PCA, time series, trading) and more...

If you got this far, why not subscribe for updates from the site? Choose your flavor: e-mail, twitter, RSS, or facebook...

Comments are closed.


Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)