bcrypt.js icon indicating copy to clipboard operation
bcrypt.js copied to clipboard

Published 20 hours ago verified publisher icon dcodeIO

Salt overwritten

Open passcombo opened this issue 7 years ago • 5 comments

Hi, doing this code overwirtes last char of salt: //salt being '$2a$10$var3Tvt8r4oEdWma//kJVb' //string to hash 'var3Tvt8r4oEdWma//kJVb5HqFoJJba' bcrypt.hashSync('var3Tvt8r4oEdWma//kJVb5HqFoJJba','$2a$10$var3Tvt8r4oEdWma//kJVb');

result is:

$2a$10$var3Tvt8r4oEdWma//kJVOApzkr/VeOLaZRtXmXC.UMebrcCcNlK.

here salt looks like '$2a$10$var3Tvt8r4oEdWma//kJVO' meaning 'O' replaced 'b'

is that expected when salt is simmilar to hashed string ?

passcombo avatar May 09 '18 10:05 passcombo

My console.log for another 2 examples:

//it's not always like that: salt $2a$10$kDM0rsXXnKBP7mEQlQNu/. tohash kDM0rsXXnKBP7mEQlQNu/.BiBxq08gG new_hash $2a$10$kDM0rsXXnKBP7mEQlQNu/.fZiBGeteX4J4KHrRQqE/BLcKneZ4pmK

//but also happens for other example: salt $2a$10$fZiBGeteX4J4KHrRQqE/BL tohash fZiBGeteX4J4KHrRQqE/BLcKneZ4pmK new_hash $2a$10$fZiBGeteX4J4KHrRQqE/B.cw/BS5L2zeO.dMWYedRMMWbJqkUJ9xu

passcombo avatar May 09 '18 10:05 passcombo

@passcombo I can't quite see what you are trying to accomplish. Can you make JSBin or similar that demonstrates the issue?

Ruffio avatar Jul 05 '18 12:07 Ruffio

I can confirm the above observation, whoever I don't know if that is by intend. @dcodeIO ?

Ruffio avatar Aug 25 '18 08:08 Ruffio

Any update on this? Is this working as intended? Is there a work around to handle this use case?

mihiramin89 avatar Jan 07 '19 13:01 mihiramin89

My assumption here is that the input salt is somehow wrong and not properly encoded, thus leading to unpredictable behaviour down the road. There'd be a lot more breakage and incompatibilities if there was something fundamentally off. Feel free to correct me if I'm wrong.

dcodeIO avatar Jan 07 '19 13:01 dcodeIO