Bcrypt Hash Generator and Checker Tool
$2a$
The original BCrypt specification did not define how to handle non-ASCII characters, or how to handle a null terminator
$2x$, $2y$ (June 2011)
A bug was discovered in crypt_blowfish🕗, a PHP implementation of BCrypt. It was mis-handling characters with the 8th bit set.
They suggested that system administrators update their existing password database, replacing $2a$
with $2x$
, to indicate that those hashes are bad (and need to use the old broken algorithm). They also suggested the idea of having crypt_blowfish emit $2y$
for hashes generated by the fixed algorithm. Nobody else, including canonical OpenBSD, adopted the idea of 2x
/2y
. This version marker was was limited to crypt_blowfish🕗.
The versions $2x$ and $2y$ are not "better" or "stronger" than $2a$. They are remnants of one particular buggy implementation of BCrypt.
$2b$ (February 2014)
A bug was discovered in the OpenBSD implementation of BCrypt. They were storing the length of their strings in an unsigned char
. If a password was longer than 255 characters, it would overflow and wrap at 255.
The only people who need to care about 2x and 2y are those you may have been using crypt_blowfish. And the only people who need to care about 2b are those who may have been running OpenBSD.
Source: Stack overflow