Passwords hashing

The crypt function to hash (originally encrypt) password dates back to the 70s, and used some rotor-based encryption, à la Enigma. Wikipedia has a nice article about its complete history.

In February 1997, Niels Provos switched OpenBSD’s crypt from DES to a BLOWFISH based hashing system that he invented with David Mazieres, called bcrypt. It landed in OpenBSD 2.1. Its main innovation was the introduction of a cost factor, allowing it to be kept relevant for years to come.

In 2007, Linux switched from MD5 to SHA-512, thanks to Ulrich Drepper, and is still using it as default hashing scheme as of 2019.

bcrypt is now widely used to hash passwords, and is supported by every major unix-like (FreeBSD, NetBSD, Linux, Solaris, …), is implemented in various languages, … and had broad influence on how the world is storing passwords.

Nowadays, bcrypt is a starting to become a thing from the past, as passwords should be hashed via algorithms providing proper memory-hardness like Argon2 (2015), yescrypt (2012) and scrypt (2009).

As Provos said in 2023:

A crucial aspect of bcrypt’s resistance to GPU optimization lies in its memory access pattern spanning 4KB during the key setup phase, which is inefficient to parallelize on GPUs with small L1 caches (Malvoni et al., 2014). That said, NVidia increased the L1 cache significantly to 16MB for the RTX 4090 and bcrypt’s 4KB is a tiny amount of memory these days.

Albeit to be fair, it’s not a single chunk of 16MB, but 128 x 128 KiB per-Streaming Multiprocessor L1 cache, but it’s still significantly bigger than 4KB.