Comments (4)
I am going to close this issue. Thanks for the education - it helped. What I was missing was that bcrypt stores the hash internally. The database was designed to handle various algorithms so the hash was basically just duplicated.
from password4j.
Hi @jehugaleahsa ,
what algorithm are you using? bcrypt for example generates by itself the salt and cannot be specified.
Can you provide an example where you get the error?
Thank you 🙂
from password4j.
Sorry. I probably didn't explain that very well. Currently, I am using patrickfav's implementation of bcrypt. To generate the salt, I am using java's SecureRandom
class. It works just fine - I wasn't sure if you were saying you're implementation always generates its own salt or if that's the nature of the bcrypt algorithm in general.
I answered my own question about the UTF8 thing, btw. The unit test below took one of my salts, encoded as Base64, and converts it back to a byte array. I convert it to a string using UTF8 and back again, and confirmed the byte arrays do not match. So the Java UTF8 encoder must map invalid character sequences, so the byte[]
doesn't round-trip.
@Test
public void testEncoding() {
byte[] bytes = Base64.getDecoder().decode("CBrGvzDkT1UFDkmPQ94pOQ==");
String utf8 = StandardCharsets.UTF_8.decode(ByteBuffer.wrap(bytes)).toString();
byte[] encoded = utf8.getBytes(StandardCharsets.UTF_8);
Assertions.assertArrayEquals(bytes, encoded); // <--- this fails
}
Does your library avoid generating salts that would run into this issue? I am not going to be able to port to using password4j because I can't use the existing salts in my database.
from password4j.
There are no inconsinstencies between the two libraries as you can see
String password = "MySuperSecurePassword";
// encrypt with patrickfav implementation
String hash1 = BCrypt.withDefaults().hashToString(12, password.toCharArray());
// encrypt with Password4j implementation
BcryptFunction f = BcryptFunction.getInstance(Bcrypt.A, 12);
String hash2 = Password.hash(password).with(f).getResult();
// check with Password4j patrickfav's hash
Password.check(password, hash1).with(f); // true
// check with patrickfav implementation Password4j's hash
BCrypt.verifyer().verify(password.toCharArray(), hash2).verified; // true
What I find weird is that you had stored the salt in a separate column in you database. You must always save the hash in its original form, like $2a$12$dp7gYK/LoX1Cm4jpZXp56Onv7Bnf178GpZQVYKwaS4VZvZ0fSLcPu
.
bcrypt (but also scrypt and Argon2) integrates the salt inside the cipher text, but bcrypt has stricter rules:
- a 16-bytes salt
- salt and cipher text are encoded with a modified version of Base64
The last point probably is where you have the issue: you are using the standard Base64 decoder, while it was originally encoded with a modified one. I did't checked how patrickfav's encode the salt BCrypt.Result
, but I'm quite sure it's not using the modified Base64.
The only solution I see is that you have to implement the modified version of Base64 (see for example com.password4j.BcryptFunction#decodeBase64(String, int)
. Even if Password4j would allow salts in form of byte[]
(which is a good feature), you still have to decode from standard Base64 your salts and encode them back with the modified Base64.
from password4j.
Related Issues (20)
- needRehash function to check if password parameters are up to date HOT 4
- Library cannot be loaded on Java8 JVMs HOT 3
- Bad Shift in Bcrypt cryptRaw HOT 9
- JDK17: java.security.AccessController is deprecated HOT 2
- static block in Password class does not initialize due to NPE HOT 3
- Password4J Module Support HOT 1
- Wrong hashes when characters outside of ISO 8859-1 are used HOT 7
- Support for Balloon Hashing HOT 10
- There is no option to disable console printBanner. HOT 4
- stdout polluted with friendly message HOT 2
- Argon2: fix addRandomSalt
- Move assertions into separate method or use assertThrows or try-catch instead. HOT 2
- Align default values to OWASP recommended
- Remove logging functionalities HOT 2
- Add banner HOT 2
- Remove the remaining dependencies
- Argon2 not working as expected HOT 11
- Inconsistency between public and internal APIs HOT 1
- Configurable salt length HOT 8
- Please provide byte array based hashing HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from password4j.