scrypt icon indicating copy to clipboard operation
scrypt copied to clipboard
verified publisher icon wg

No way to "bang out" a password

Open paul-lshift opened this issue 12 years ago • 2 comments

If a password doesn't match the scrypt format, an IllegalArgumentException is thrown. It would be useful to have something to put in the password field that reliably matches no password, so that passwords can conveniently be disabled.

Thanks for writing this!

paul-lshift avatar Apr 24 '13 08:04 paul-lshift

Hi Paul, I'm not quite sure what you mean, are you asking for a magic string that can be passed to SCryptUtil.check() that will always result in a false match? If so that seems like something application-specific rather than belonging in a library.

wg avatar Apr 29 '13 09:04 wg

That's exactly what I have in mind. The downside with handling it at the application level is that the timing will be different; I'd prefer that an attacker wasn't able to tell by timing that the password was disabled. However, given that the timing of scrypt is variable anyway there may not be a good fix to that.

paul-lshift avatar Apr 29 '13 11:04 paul-lshift