The bcrypt algorithm runs in two phases, sketched in Figure 3. In the first phase, EksBlowfishSetup is called with the cost, the salt, and the password, to initialize eksblowfish's state. Most of bcrypt's time is spent in the expensive key schedule. Following that, the 192-bit value ``OrpheanBeholderScryDoubt'' is encrypted 64 times using eksblowfish in ECB mode with the state from the previous phase. The output is the cost and 128-bit salt concatenated with the result of the encryption loop.
In Section 3, we derived that an -secure
password function should fulfill several important criteria: second
preimage-resistance, a salt space large enough to defeat
precomputation attacks, and an adaptable cost. We believe that
Bcrypt achieves all three properties, and that it can be
-secure with useful values of
for years to come.
Though we cannot formally prove bcrypt
-secure, any
flaw would likely deal a serious blow to the well-studied blowfish
encryption algorithm.