[Melbourne-pm] Newbie crypto/bcrypt question

Alfie John alfiej at fastmail.fm
Fri May 23 01:33:32 PDT 2014

On Fri, May 23, 2014, at 04:56 PM, Simon Taylor wrote:
> In my tests here it seems that wherever one of your passwords is made up 
> of concatenations of the other, you get the same problem, ie:
>    my @A = hashPassword1("x1z");
>    my @B = hashPassword1("x1zx1zx1z");

Yeah, playing around I noticed the same thing.

> It is possible that you're supposed to use a different salt for *each* 
> call to bcrypt_hash() ?

I would hope not!

I got an answer from Zefram (the author):

"key_null" should be "key_nul".  Internally the hashing process involves 
repeating the key to make it up to the full internal key length, and     
if that's just done with the raw password then any password consisting   
of a repeated sequence will produce the same hash as that sequence on    
its own.  The key_nul feature was added to the hash algorithm precisely  
to avoid this.

tl;dr: typo :(


  Alfie John
  alfiej at fastmail.fm

More information about the Melbourne-pm mailing list