[Melbourne-pm] Newbie crypto/bcrypt question
Alfie John
alfiej at fastmail.fm
Fri May 23 01:33:32 PDT 2014
On Fri, May 23, 2014, at 04:56 PM, Simon Taylor wrote:
> In my tests here it seems that wherever one of your passwords is made up
> of concatenations of the other, you get the same problem, ie:
>
> my @A = hashPassword1("x1z");
> my @B = hashPassword1("x1zx1zx1z");
Yeah, playing around I noticed the same thing.
> It is possible that you're supposed to use a different salt for *each*
> call to bcrypt_hash() ?
I would hope not!
I got an answer from Zefram (the author):
===
"key_null" should be "key_nul". Internally the hashing process involves
repeating the key to make it up to the full internal key length, and
if that's just done with the raw password then any password consisting
of a repeated sequence will produce the same hash as that sequence on
its own. The key_nul feature was added to the hash algorithm precisely
to avoid this.
===
tl;dr: typo :(
Alfie
--
Alfie John
alfiej at fastmail.fm
More information about the Melbourne-pm
mailing list