How to continuously keep the number of bcrypt rounds relevant to the current year's hardware?

Question

I saw a recommendation that the number of rounds be set to ($currentYear - 2000) to account for Moore\'s law, so that 2013 would be 13 rounds and t

Answer 1

When you use bcrypt, the number of rounds is part of the hash generated:

crypt ( 'Password', '$2a$04$thisshallbemysalt' );

will result in something like

$2a$04$thisshallbemysalt.rAnd0ml0ok1ngch4rsh3re

2a after the first $ sign stands for the bcrypt algorithem, and next 04 stands for the number of rounds – so by looking at the hash you can see how many rounds where done creating it.

So when you decide it’s time to up the number of rounds, you could check the number of rounds used in generating the stored hash when the user logs in – and if its not your current number of rounds, you re-hash their password there and then, and save it as the new hash (after checking whether their password matched the existing hash, of course ;-))