bcrypt vs SHA-256 for Passwords
Why bcrypt is better than SHA-256 for password hashing. Understand work factors, salt handling, GPU resistance, and when each algorithm is the right choice.
Detailed Explanation
bcrypt and SHA-256 serve fundamentally different purposes. SHA-256 is a general-purpose cryptographic hash designed for speed, while bcrypt is a password hashing function designed to be deliberately slow. Using SHA-256 for password storage is a common mistake that leaves systems vulnerable to brute-force attacks.
Speed: the critical difference:
A single modern GPU can compute approximately 5 billion SHA-256 hashes per second. This means an attacker can test every possible 8-character alphanumeric password (about 2.8 trillion combinations) in under 10 minutes. bcrypt at a work factor of 12 computes roughly 4 hashes per second on the same GPU. Testing the same password space would take over 22,000 years. bcrypt achieves this slowdown through its Blowfish-based key schedule, which requires sequential memory access patterns that resist GPU parallelization.
Built-in salt handling:
SHA-256 requires manual salt management: generating a random salt, storing it alongside the hash, and incorporating it during verification. Developers often get this wrong, using short salts, reusing salts, or omitting them entirely. bcrypt embeds the salt directly in its output string (e.g., $2b$12$salt22charslong..hash31charslong.). The salt, work factor, and hash are all encoded together, making storage and verification straightforward.
Adaptive cost:
bcrypt's work factor can be increased as hardware improves. Each increment doubles the computation time. A system deployed with work factor 10 in 2010 can be upgraded to factor 13 in 2025 without changing the storage format. SHA-256 has no equivalent mechanism; its speed is fixed. You could iterate SHA-256 (PBKDF2-HMAC-SHA256), which adds a configurable iteration count, but this still lacks bcrypt's memory-hardness.
When to use each:
Use bcrypt (or Argon2) exclusively for password hashing. Use SHA-256 for data integrity verification, digital signatures, checksums, HMAC authentication, and all other hashing needs. They are complementary tools, not competitors. Argon2id is now preferred over bcrypt for new systems because it adds configurable memory-hardness, but bcrypt remains a solid choice and is available in virtually every programming language and framework.
Use Case
Developers choosing a password hashing strategy should use bcrypt (work factor 12+) or Argon2id instead of raw SHA-256 to protect stored credentials against brute-force attacks.