• andrew
    link
    fedilink
    English
    21 year ago

    I’m arguing semantics here but bcrypt is the hashing function. Per the Wikipedia article on bcrypt:

    bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999.

    Blowfish being a symmetric encryption cipher, not a hashing function.

    Agreed on the rest, though. The hashing cost of a long password would not lead to DOS any more than the bandwidth of accepting that password etc. It’s not the bottleneck. But also no extra security beyond a point, so might as well not bother when passwords are too long.