Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comeonin Bcrypt does not support the 2y prefix? #103

Closed
hariharasudhan94 opened this issue Apr 4, 2017 · 8 comments
Closed

Comeonin Bcrypt does not support the 2y prefix? #103

hariharasudhan94 opened this issue Apr 4, 2017 · 8 comments

Comments

@hariharasudhan94
Copy link

hariharasudhan94 commented Apr 4, 2017
edited
Loading

I have a set passwords which have $2y$ prefix. When i trying to check password using Comeonin.Bcrypt.checkpw("hard to guess", stored_hash) , I am getting error like Comeonin Bcrypt does not support the 2y prefix, how can i resolve this issue
@riverrun
Copy link
Owner

riverrun commented Apr 5, 2017

The $2y$ prefix is provided by another version of Bcrypt (not the OpenBSD version), and it's not supported. There's also no plan to support it.

@hariharasudhan94
Copy link
Author

Is there any other option or libraries, i can try right now?

@riverrun
Copy link
Owner

I don't know anything in Elixir or Erlang that supports the $2y$ prefix.

@hubertlepicki
Copy link

hubertlepicki commented Apr 22, 2017
edited
Loading

@riverrun as far as I understand, $2y$ does not mark any incompatible algorithm. It is equal to $2a$.

PHP people had a bug in their implementation, and used special prefix $2x$ to mark hashes generated with broken implementation. Then, they decided that it's good idea to introcudce $2y$, to distinguish from possibly broken $2a$ they may have in database, and definitely broken $2x$.

So, in a nutshell, hashes with $2y$ could be treated as $2a$ and we should raise instead on prefix $2x$ that is indeed most likely wrong.

@riverrun
Copy link
Owner

The $2y$ prefix is part of the Openwall implementation, and according to their bcrypt page, it should be compatible with the $2b$ prefix from the OpenBSD version.

However, before I make any change, I obviously need to do a certain amount of research to decide how best to approach it. At the moment, I don't have the time to do that, but if there is a demand for $2y$ prefix support, I can make the time.

I hope that answers your questions.

@hubertlepicki
Copy link

I'm not sure if this should be supported to be fair.

Maybe we simply need better error message saying that this prefix is not supported, and you should replace it with compatible $2b$ one.

@riverrun
Copy link
Owner

I could look into improving the error message.

@ryanwinchester
Copy link

@riverrun

For what it's worth, this works for me:

  Comeonin.Bcrypt.checkpw(password, fix_prefix(password_hash))

  defp fix_prefix("$2y" <> rest), do: "$2b" <> rest
  defp fix_prefix(password_hash), do: password_hash

@riverrun riverrun mentioned this issue Sep 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hubertlepicki @riverrun @ryanwinchester @hariharasudhan94