{"id":52601,"date":"2025-09-30T16:36:40","date_gmt":"2025-09-30T13:36:40","guid":{"rendered":"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/"},"modified":"2025-09-30T16:36:40","modified_gmt":"2025-09-30T13:36:40","slug":"security-aspects-of-bcrypt-explained-clearly","status":"publish","type":"post","link":"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/","title":{"rendered":"Security Aspects of Bcrypt Explained Clearly"},"content":{"rendered":"<p><\/p>\n<article><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#What_bcrypt_does_and_why_it_matters\" >What bcrypt does and why it matters<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Key_security_features_of_bcrypt\" >Key security features of bcrypt<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#How_the_cost_factor_works\" >How the cost factor works<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Known_limitations_and_attack_surface\" >Known limitations and attack surface<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Best_practices_for_secure_use_of_bcrypt\" >Best practices for secure use of bcrypt<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Implementation_checklist\" >Implementation checklist<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#When_to_consider_alternatives\" >When to consider alternatives<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Migrating_older_hashes_safely\" >Migrating older hashes safely<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Summary\" >Summary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#FAQs\" >FAQs<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Is_bcrypt_still_secure_in_2025\" >Is bcrypt still secure in 2025?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#What_cost_factor_should_I_use_for_bcrypt\" >What cost factor should I use for bcrypt?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Does_bcrypt_protect_against_GPU_cracking\" >Does bcrypt protect against GPU cracking?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#How_do_I_handle_passwords_longer_than_72_bytes\" >How do I handle passwords longer than 72 bytes?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/infinitydomainhosting.com\/kb\/security-aspects-of-bcrypt-explained-clearly\/#Should_I_add_a_pepper_to_bcrypt_hashes\" >Should I add a pepper to bcrypt hashes?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"What_bcrypt_does_and_why_it_matters\"><\/span>What bcrypt does and why it matters<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Bcrypt is <a href=\"https:\/\/infinitydomainhosting.com\/kb\/how-to-configure-2fa-step-by-step\/\">a<\/a> password hashing algorithm designed to make it expensive for attackers to recover passwords from stolen hashes. Instead of encrypting, bcrypt applies a deliberately slow, adaptive function to a password combined with a unique salt so that each stored hash is expensive to compute and different even for identical passwords. That design raises the cost of brute-force and dictionary attacks: an adversary trying millions of guesses must expend significant CPU time for every attempt, which helps protect user accounts when a credential database is leaked.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Key_security_features_of_bcrypt\"><\/span>Key security features of bcrypt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Several built-in features are responsible for bcrypt&#8217;s continued use in many systems. First, bcrypt uses a per-password salt so two identical passwords produce different hashes and precomputed tables (<a href=\"https:\/\/hostadvice.com\/how-to\/web-hosting\/how-to-create-rainbow-tables-in-kali\/\" target=\"_blank\" rel=\"noopener\">rainbow tables<\/a>) are ineffective. Second, bcrypt includes a configurable cost parameter (often called the work factor) that scales the computation exponentially; increasing this parameter makes hashing slower and therefore raises the resources required for offline cracking. Third, the canonical bcrypt output encodes version, cost, salt and hash in a single string, which makes storage and verification straightforward when you use standard libraries.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_the_cost_factor_works\"><\/span>How the cost factor works<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      The cost is expressed as a base-2 log; a cost of 12 means the underlying operation runs 2^12 iterations of the expensive key setup. This exponential relationship makes it easy to tune bcrypt over time: as hardware gets faster, raise the cost to keep hashing <a href=\"https:\/\/www.hostinger.com\/tutorials\/what-is-network-latency\" target=\"_blank\" rel=\"noopener\">latency<\/a> within a target range. The recommended approach is to measure how long a hash takes on your production hardware and pick a cost that yields a balance between user experience (login delays) and security. Many teams aim for single-digit to low-hundreds of milliseconds per hash, but the exact value should reflect your scale and threat model.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Known_limitations_and_attack_surface\"><\/span>Known limitations and attack surface<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Bcrypt is not perfect and understanding its limitations helps you apply it safely. It is not memory-hard, which means GPUs and specialized hardware gain a relative advantage over CPUs when performing massive parallel cracking. Compared with newer designs like Argon2, bcrypt is less resistant to highly parallelized attacks. Another practical issue is input handling: many bcrypt implementations truncate passwords longer than 72 bytes, which can lead to surprising behavior if applications accept very long passphrases. Finally, while bcrypt defends against offline brute force, it does not replace other layers of defense , rate limiting, multi-factor authentication, and monitoring are still necessary to mitigate online attacks or account takeover.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Best_practices_for_secure_use_of_bcrypt\"><\/span>Best practices for secure use of bcrypt<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Use a well-maintained library rather than writing your own implementation, and ensure the library supports current bcrypt variants (for example, $2b$). Always rely on a cryptographically secure random generator for salt creation; don&#8217;t invent your own salt scheme. Choose a cost factor after benchmarking on production-like hardware and plan to re-evaluate periodically. When a user successfully authenticates, consider rehashing the password with an increased cost if you\u2019ve raised your target. Compare hashes using constant-time comparison functions to avoid timing attacks when checking credentials.\n    <\/p>\n<p><\/p>\n<p>\n      There are also practical steps for edge cases: if your application must accept very long passwords or support complex Unicode input, normalize and consistently encode the password before hashing, and if you need to accept inputs longer than 72 bytes, pre-hash the input with a secure hash (for example SHA-256) and pass that fixed-length output to bcrypt. Some teams add a server-side &#8220;pepper&#8221; (a secret stored outside the database) to provide an additional layer of protection; if you use a pepper, manage it like any other secret and plan for rotation in case of compromise.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Implementation_checklist\"><\/span>Implementation checklist<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<ul><\/p>\n<li>Use a vetted bcrypt library and keep it updated.<\/li>\n<p><\/p>\n<li>Benchmark and set a cost that yields acceptable latency on your infrastructure.<\/li>\n<p><\/p>\n<li>Store the full bcrypt string (version, cost, salt, hash) so you can verify and <a href=\"https:\/\/support.hostinger.com\/en\/articles\/4455931-how-to-migrate-a-website-to-hostinger\" target=\"_blank\" rel=\"noopener\">migrate<\/a> later.<\/li>\n<p><\/p>\n<li>Normalize and encode passwords consistently; handle Unicode carefully.<\/li>\n<p><\/p>\n<li>Use constant-time comparison and secure random salts.<\/li>\n<p><\/p>\n<li>Combine bcrypt with other defenses: rate limiting, MFA, monitoring, and account lockout policies.<\/li>\n<p>\n    <\/ul>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"When_to_consider_alternatives\"><\/span>When to consider alternatives<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      For new systems, consider algorithms designed to be memory-hard, such as Argon2, if your threat model includes attackers with GPUs or custom hardware. Memory-hard functions force an attacker to consume lots of memory per guess, which reduces the effectiveness of parallel GPU cracking. That said, bcrypt remains widely supported and well-understood , <a href=\"https:\/\/support.hostinger.com\/en\/articles\/4455931-how-to-migrate-a-website-to-hostinger\" target=\"_blank\" rel=\"noopener\">migrating<\/a> to a different algorithm requires careful planning so you don\u2019t break authentication or lose the ability to verify existing accounts. A common <a href=\"https:\/\/infinitydomainhosting.com\/index.php?rp=\/knowledgebase\/208\/How-to-migrate-your-website-to-a-new-hosting-provider.html\">migration<\/a> path is to verify with the existing algorithm at login and then rehash the plain password with the new algorithm after successful authentication.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Migrating_older_hashes_safely\"><\/span>Migrating older hashes safely<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      When migrating from another hashing scheme, implement a strategy that preserves user access and gradually upgrades accounts. The typical pattern is: on user login, verify the password with the old hash; if it succeeds, compute a new hash using bcrypt (or your chosen algorithm) and store it. This approach avoids forcing a password reset for all users and ensures high-value accounts move to the stronger scheme opportunistically. Keep careful logs and ensure any migration code is covered by tests so you don\u2019t accidentally lock out users.\n    <\/p>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<p>\n      Bcrypt is a proven password hashing choice that uses salts and an adjustable cost factor to make offline attacks expensive. Its design emphasizes adaptability over time, but it is not memory-hard and has practical limits such as input truncation. Secure use requires selecting an appropriate cost, using well-maintained libraries, normalizing inputs, and combining bcrypt with other security controls like rate limits and multi-factor authentication. For new systems with strong GPU-based attack concerns, evaluate modern alternatives such as Argon2 while planning a careful migration path for existing hashes.\n    <\/p>\n<p><!--KB_CAT_BLOCK--><\/p>\n<figure class=\"kb-cat-placeholder\" style=\"margin:1.75rem 0;display:block;\">\n<div class=\"kb-cat-wrap\" style=\"position:relative; overflow:hidden; border-radius:12px; box-shadow:0 10px 36px rgba(0,0,0,0.14);\"><img src=\"https:\/\/infinitydomainhosting.com\/kb\/assets\/img\/cat-default.webp\" alt=\"Security Aspects of Bcrypt Explained Clearly\" loading=\"lazy\" decoding=\"async\" style=\"max-width:100%;height:auto;display:block;border-radius:12px;box-shadow:0 8px 28px rgba(0,0,0,0.12);\" \/><\/p>\n<div class=\"kb-cat-gradient\" style=\"position:absolute; inset:0; background:linear-gradient(180deg, rgba(9,23,60,0.66) 0%, rgba(11,30,70,0.45) 40%, rgba(11,30,70,0.15) 100%);\"><\/div>\n<div class=\"kb-cat-textbox\" style=\"position:absolute; inset:auto 5% 7% 5%; color:#fff; text-align:center; display:flex; flex-direction:column; gap:.4rem; align-items:center; justify-content:flex-end;\">\n<div class=\"kb-cat-title\" style=\"font-weight:800; font-size:clamp(20px,3.6vw,34px); line-height:1.2; letter-spacing:.2px; text-shadow:0 1px 2px rgba(0,0,0,.35);\">Security Aspects of Bcrypt Explained Clearly<\/div>\n<div class=\"kb-cat-meta\" style=\"opacity:1; font-weight:600; font-size:clamp(13px,2.6vw,16px); line-height:1.45; text-shadow:0 1px 2px rgba(0,0,0,.28);\">What bcrypt does and why it matters Bcrypt is a password hashing algorithm designed to make it expensive for attackers to recover passwords from stolen hashes. Instead of encrypting, bcrypt\u2026<\/div>\n<div class=\"kb-cat-desc\" style=\"opacity:1; font-weight:500; font-size:clamp(12px,2.4vw,15px); line-height:1.5; max-width:900px; text-wrap:balance; text-shadow:0 1px 2px rgba(0,0,0,.25);\">AI<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<p><\/p>\n<h2><span class=\"ez-toc-section\" id=\"FAQs\"><\/span>FAQs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Is_bcrypt_still_secure_in_2025\"><\/span>Is bcrypt still secure in 2025?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      Yes, bcrypt remains a secure option for password hashing when used correctly (appropriate cost, secure salts, proper libraries). However, if your threat model includes attackers with powerful GPUs or specialized hardware, consider using a memory-hard algorithm like Argon2 for improved resistance to parallelized cracking.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_cost_factor_should_I_use_for_bcrypt\"><\/span>What cost factor should I use for bcrypt?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      There is no single correct value; choose a cost that results in acceptable hashing time on your production hardware. Many teams aim for roughly 100\u2013500 milliseconds per hash for interactive logins, but you should benchmark and consider your user load. Increase the cost over time as hardware improves.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Does_bcrypt_protect_against_GPU_cracking\"><\/span>Does bcrypt protect against GPU cracking?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      Bcrypt slows GPU cracking compared with raw hashes because of its computational cost, but it is not memory-hard and therefore less resistant to GPUs and ASICs than algorithms like Argon2 or scrypt. Bcrypt remains useful, but accept that attackers with strong hardware will still be able to make progress given enough time and resources.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_do_I_handle_passwords_longer_than_72_bytes\"><\/span>How do I handle passwords longer than 72 bytes?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      Many bcrypt implementations truncate at 72 bytes. If you need to support longer passphrases consistently, pre-hash the password with a secure hash function (e.g., SHA-256) and then feed the fixed-length result to bcrypt. Also normalize Unicode input so different encodings don&#8217;t change the hash unexpectedly.\n    <\/p>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Should_I_add_a_pepper_to_bcrypt_hashes\"><\/span>Should I add a pepper to bcrypt hashes?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><\/p>\n<p>\n      A pepper (a server-side secret added to each password before hashing) can increase resilience if your database is leaked, but it introduces operational complexity: the pepper must be stored and rotated securely outside the database. Use a pepper only if you can manage it safely, and treat it like any other critical secret.\n    <\/p>\n<p><\/article>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What bcrypt does and why it matters Bcrypt is a password hashing algorithm designed to make it expensive for attackers to recover&hellip;<\/p>\n","protected":false},"author":1,"featured_media":52602,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[8,9405,4593,9,1,4594,3,5,10,11,7,88],"tags":[586,13308,473,13433,13432,7918,13427,13143,11181,13304,579,13431,10550],"class_list":["post-52601","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website-security","category-ai","category-databases","category-domains","category-general","category-networking","category-php-scripts","category-seo","category-servers","category-support","category-web-design","category-web-hosting","tag-authentication","tag-bcrypt","tag-best-practices","tag-brute-force-resistance","tag-cost-factor","tag-cryptography","tag-hashing-algorithm","tag-password-hashing","tag-password-security","tag-salt","tag-security","tag-security-aspects-of-bcrypt-explained-clearly","tag-vulnerabilities"],"_links":{"self":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts\/52601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/comments?post=52601"}],"version-history":[{"count":1,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts\/52601\/revisions"}],"predecessor-version":[{"id":52603,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/posts\/52601\/revisions\/52603"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/media\/52602"}],"wp:attachment":[{"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/media?parent=52601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/categories?post=52601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infinitydomainhosting.com\/kb\/wp-json\/wp\/v2\/tags?post=52601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}