Comments (9)
Hi @dpatriarche that sounds a great feature!
The desired key length should be part of the input parameters!
Feel free to open a pull request!
from password4j.
Okay, I'll do that.
from password4j.
Looking at the code further, I believe that Password.check(password, inputHash).withSCrypt()
doesn't look at the input hash's scrypt parameters, i.e. workfactor (N), resources (r), and parallelization (p). If the any of the input hash's "Nrp" values differs from the values specified in the psw4j.properties
file (or the defaults in AlgorithmFinder.getSCryptInstance()
) then the check will always fail.
Do you agree that this is the case? If so, then I can address this too in HashChecker
. I notice that HashUpdater
actually does look at the scrypt parameters, so it seems like a straightforward change to make HashChecker
call getInstanceFromHash()
methods like HashUpdater
does. I propose making this change for all the parameterized algorithms (scrypt, argon2, etc.).
One last thing: Is there a reason the algorithms keep a persistent INSTANCES
map of instances in memory? It's not a big deal for scrypt, but for an argon2 instance with m=4096, that 1MiB of memory that is allocated forever.
from password4j.
Yes that was done on purpose: the system configurations determine the way the password are checked, not the data retrieved from database.
In case you want to follow the configurations stored in the hash you can always do something like this:
Password.check(userPassword, hashFromDB).with(SCrypt.getInstanceFromHash(hashFromDB));
or
Password.check(userPassword, hashFromDB).with(SCrypt.getInstance(N, r, p));
The problem in both approaches, as you correctly pointed out, is that there is no way to explicit a key length different from 64 bytes.
A new method getInstance(int, int, int, int)
must be used (the old one should use a default key length, like Argon2 does with the version) and a change on getInstanceFromHash(String)
so that it reads the length of the key from the hash.
A few thoughts about the persistent INSTANCES
:
- Most of the target systems check passwords with a constant configuration (again, the system configurations must lead) rather than using different configurations for different hashes (but you can still do it with Password4j with something like my first example).
- In a multi threaded application (e.g. any web application) building the very same object hundred or even thousand times per second it's a waste of time and space. Especially in the case of Argon2, where at least the
initialBlockMemory
is computed just once and it is shared among all the instances.
from password4j.
Ah okay, thanks for the insight! I will rework my pull request to conform to the above, with the new method getInstance(int, int, int, int)
that you suggest.
from password4j.
Thank you for your work @dpatriarche!
from password4j.
My pleasure, happy to contribute!
from password4j.
Hi @dpatriarche
release 1.5.1 contains your fix and it has been published in maven central.
from password4j.
Thanks very much, I have updated my project to use the new version.
from password4j.
Related Issues (20)
- needRehash function to check if password parameters are up to date HOT 4
- Library cannot be loaded on Java8 JVMs HOT 3
- Bad Shift in Bcrypt cryptRaw HOT 9
- JDK17: java.security.AccessController is deprecated HOT 2
- static block in Password class does not initialize due to NPE HOT 3
- Password4J Module Support HOT 1
- Wrong hashes when characters outside of ISO 8859-1 are used HOT 7
- Support for Balloon Hashing HOT 10
- There is no option to disable console printBanner. HOT 4
- stdout polluted with friendly message HOT 2
- Argon2: fix addRandomSalt
- Move assertions into separate method or use assertThrows or try-catch instead. HOT 2
- Align default values to OWASP recommended
- Remove logging functionalities HOT 2
- Add banner HOT 2
- Remove the remaining dependencies
- Argon2 not working as expected HOT 11
- Inconsistency between public and internal APIs HOT 1
- Configurable salt length HOT 8
- Please provide byte array based hashing HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from password4j.