Bcrypt vs SHA-256 for Password Storage
Compare bcrypt and SHA-256 for password hashing. Learn why general-purpose hash functions like SHA-256 are unsuitable for passwords and how bcrypt's adaptive cost factor provides superior protection.
Detailed Explanation
Bcrypt vs SHA-256 for Password Storage
SHA-256 and bcrypt serve fundamentally different purposes. SHA-256 is a general-purpose cryptographic hash function designed for speed. Bcrypt is a password hashing function designed to be slow. This distinction is critical for security.
Speed: The Core Difference
| Function | Hashes/second (modern GPU) | Purpose |
|---|---|---|
| SHA-256 | ~10 billion | Data integrity, digital signatures |
| Bcrypt (cost 12) | ~10,000 | Password storage |
SHA-256 is approximately 1 million times faster than bcrypt. For file checksums and digital signatures, speed is a feature. For password storage, speed is a vulnerability.
Why Speed Matters for Passwords
An attacker who obtains a database of SHA-256 hashed passwords can try 10 billion password guesses per second on a modern GPU. At that rate:
- The entire
rockyou.txtwordlist (14 million passwords): < 1 millisecond - All 8-character lowercase passwords: ~21 seconds
- All 8-character alphanumeric passwords: ~5 minutes
With bcrypt at cost 12, the same attacks take:
- rockyou.txt: ~23 minutes
- 8-character lowercase: ~6,700 years
- 8-character alphanumeric: ~700,000 years
Salting Does Not Fix SHA-256
Adding a salt to SHA-256 (SHA256(salt + password)) prevents rainbow table attacks but does nothing to slow down brute-force attacks. The attacker still gets billions of guesses per second — they just need to compute each one fresh instead of looking it up.
Iterated SHA-256 (PBKDF2)
You can make SHA-256 slower by iterating it thousands of times (this is what PBKDF2 does). However:
- PBKDF2-SHA-256 is still GPU-friendly — SHA-256 is trivially parallelizable on GPUs
- Bcrypt’s Blowfish-based design is memory-hard enough to resist GPU acceleration better
- Managing iteration counts with PBKDF2 requires the same cost-factor planning as bcrypt
When SHA-256 Is Appropriate
- File integrity verification (checksums)
- Digital signatures
- HMAC for API authentication
- Content-addressable storage
- Certificate pinning
When to Use Bcrypt
- User password storage
- Any secret that users choose (PINs, security answers)
- API key storage (hash the key, store the hash)
The Bottom Line
Never use plain SHA-256 for password storage. If you currently do, migrate to bcrypt (or Argon2) as soon as possible using the rehash-on-login pattern.
Use Case
This comparison is essential for developers who are tempted to use SHA-256 for passwords because it is built into every platform. It is also relevant during security reviews and penetration test remediation, where auditors flag SHA-256 password hashing as a vulnerability. Understanding the quantitative difference in attack resistance helps justify the migration effort to stakeholders.