Advantages/Disadvantages of Bcrypt vs. hash/salt

Question

I have an application that I use sha3-512 to hash my password with a randomly generated 64 characters salt for each password. Is it bad to use this method to store passwords? I know many people reference using bcrypt for password storage. What are the advantages/disadvantages of using bcrypt vs. a hash/salt combo?

Answer 1

Is it bad to use this method to store passwords?

Yes. It is bad.
Why?

1. It's bad because you're rolling your own crypto, which is generally considered a bad choice.
2. It's bad because SHA-3 is slow in software (e.g. on servers and consumer PCs) and fast in hardware (e.g. FPGAs, ASICs) and hence attackers can relatively fast try out many passwords.

So the disadvantages:

• SHA-3/2 is fast and therefore an attacker can try many passwords very fast even though you're using a salt.
• SHA-3 isn't widely deployed yet and availability of bcrypt/scrypt may be better.
• SHA-3 is designed to be a good hash-function, not a good password-hashing-scheme (PHS), whereas bcrypt is designed to be a PHS and was analyzed in this direction as well.
• Bcrypt is slower and requires some memory (4 kiB IIRC), so one spends 100ms to check a valid password whereas an attacker needs days / years to crack it because he's slowed down and can't use GPUs efficiently.

So all in all, always prefer bcrypt over standard (iterated) hash-functions.

You may also want to take a look at scrypt and the password-hashing competition (PHC). PHC is in the final phase and until winners are selected and deployed scrypt may be a better option - if you don't want to authenticate users on your server.