Support 2b and 2y hashes. #18
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
They should be identical to 2b. It's really unclear to me why the php-bcrypt authors decided to use 2y instead.
|
This worked nicely for me, I made a jar of it and it worked, good job. Thanks for adding support for these newer hashes. |
|
I ended up using Password4j since my project cannot rely on solutions not delivered via maven. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for 2b and 2y hash revisions.
It is perhaps worthy to note that jBCrypt's support for 2a hashes is incorrect, as it should mimic the bug in the OpenBSD implementation that spawned the 2b hash, that is, wrapping the password length at 256. Since it's probably mostly used in "private" systems where it doesn't interact with other implementations, it's probably best to leave the 2a support as is, so as to not break current hashes, but it is nevertheless technically incorrect.
Also, jBCrypt should generate 2b hashes in
gensalt, but that could cause problems where several systems that use the same password database might be at different versions. OpenBSD solved this by first adding support for 2b hashes, and then half a year later also generating them by default. Arguably, jBCrypt should do the same thing.Finally, 2y hashes should be identical to 2b hashes, so I added support for those as well, even though they're only used in the PHP implementation of bcrypt. I noticed there were a number of forks that did nothing but add 2y-hash support, so I figured why not add it. I'd like to note that 2y is not the same as 2x, since 2x indicates a bug in a previous PHP version of bcrypt, that I don't have any personal reason to track down and recreate.