B4J Library BCrypt - implementation of OpenBSD's Blowfish password hashing code

M

MathiasM

Active Member
Licensed User
No replies yet, shame.
Bro, nicely done, you're a life saver. This is a _very_ nice lib!
Here, have a Belgian beer (if you're allowed to drink)
php95WoWFAM.jpg
 
ilan

ilan

Expert
Licensed User
Longtime User
just tried the library but i get always a different HASH. am i doing something wrong?

B4X: 
    Dim bc As BCrypt
    For i = 0 To 4
        Log(bc.HashPW2("test",10))
    Next

logs:
Waiting for debugger to connect...
Program started.
Emulated network latency: 100ms
$2a$10$1z1XIWA.hoMlwDNuhYp2j.cHWMZOmmjZqCTWnNQF5ksonQO3Cmk2e
$2a$10$r1FEuLsMYpFiFUBVEYMc.eA5J2Uyc822OXg4R8tFbL5gp9El/idiW
$2a$10$yy7SOKWgYKqLl6btz3uUSORQ6KQW1kQKineREp653eRVT6Q/zTX4.
$2a$10$REv./fpuZap8ywCPyj1ckuG527GSArUvVHBJ/NPnIlbMi./F7RdMm
$2a$10$ZsuXztqnl2DqtsNArsrFfuv.pJ7Io9lI.F1HRtK3QPgRuv.yGyCBG
Click to expand...

sorry, my mistake. the salt is always different that's why the hash is different
 
M

MathiasM

Active Member
Licensed User
Security risk, read this:

While this library is very good, it silently truncates the password, not throwing any error. eg:
B4X: 
Dim hash As String = crypt.HashPW("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
    Log(crypt.CheckPW("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", hash)) 'True
    Log(crypt.CheckPW("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", hash)) 'Also True

This is normal, as it follows the bcrypt specs. A possible solution is Base64 encoding the password before hashing.
 
You must log in or register to reply here.

Similar Threads

Mashiane
  • Question
B4J Question [BANano] [SOLVED] Transpiler Option to exclude certain css and js files when using B4xlib on new projects?
Replies
6
Views
1K
Mashiane
Mashiane
DonManfred
  • Article
B4J Library BCrypt - Create salted Hashes (compatible with PHP)
Replies
0
Views
3K
DonManfred
DonManfred
Top