bcrypt.

bcrypt is a password-hashing scheme published in 1999 by Niels Provos and David Mazières (USENIX paper "A Future-Adaptable Password Scheme") that uses a modified Blowfish key schedule ("EksBlowfish") to derive a 192-bit hash from a salted password. The expensive key-setup phase interleaves the salt and password through repeated key expansions, then encrypts the constant string "OrpheanBeholderScryDoubt" 64 times. Its cost parameter — log2 of the number of key-setup rounds — lets defenders raise the work factor as hardware improves; cost 12 means 2^12 = 4,096 iterations.

A defining quirk is bcrypt's hard 72-byte input limit: anything beyond byte 72 is silently truncated. This caused the October 2024 Okta AD/LDAP Delegated Authentication incident, where Okta built a cache key by bcrypt-hashing userId + username + password; for users with a username of 52+ characters the password fell past the 72-byte cutoff and was ignored, letting a previously cached credential authenticate. The lesson: pre-hash long inputs (e.g. SHA-256 then Base64) before bcrypt, or use a function without the limit.

bcrypt's small, fixed memory footprint also makes it weaker than memory-hard designs against GPU/ASIC cracking. It remains acceptable at cost ≥ 12, but OWASP now recommends Argon2id (or scrypt) for new systems.

flowchart TD
  P[Password + 128-bit salt] --> T{Input > 72 bytes?}
  T -->|Yes| TR[Bytes 73+ silently truncated]
  T -->|No| K
  TR --> K[EksBlowfish key setup]
  K --> C[Cost: repeat key schedule 2^cost times]
  C --> E["Encrypt 'OrpheanBeholderScryDoubt' x64"]
  E --> H["$2b$12$salt + 184-bit digest"]