Reputation: 65
MVC BCrypt.Verify allows different passwords
I have accidentally typed the wrong password and it has passed validation. I found out that passwords were saved with additional salts.
this.password = BCrypt.Net.BCrypt.HashPassword(prefixSalt + password + suffixSalt, BCrypt.Net.BCrypt.GenerateSalt(9));
And the verification:
BCrypt.Net.BCrypt.Verify(prefixSalt + password + suffixSalt, this.password);
In this way passwords are truncated to 8 characters and anything after 8th character is ignored. Can this issue be fixed without requiring all users to change their passwords?
Upvotes: 0
Views: 205
Answers (1)
Reputation: 6943
There's no way to reverse the process for bcrypt, it is a one-way algorithm. You could "fix" the data by following a process like:
if (BCrypt.Verify(password, storedHash)) {
// Log on user
} else if (BCrypt.Verify(prefixSalt + password + suffixSalt, storedHash)) {
this.password = BCrypt.HashPassword(password);
// Save to database
// Log on user
} else {
// User details incorrect
}
However, if the password is being truncated (although I cannot see why that is - perhaps the bug is elsewhere in the code?), this will not work as it would initially allow anyone to set anyone else's password.
Short answer: No, you need to reset everyone's password.
Upvotes: 1
Related Questions
- Password Hash does not match
- working with BCrypt.net
- Can't get the stored password (Bcrypt) to match with what user inputs
- Bcrypt password verifying
- Bcrypt validate password
- BCryptHelper.CheckPassword always returns false
- ASP.NET MVC 3 app, BCrypt.CheckPassword failing
- Encrypt data with BCrypt
- Check password in Linq-to-SQL using BCrypt
- BCrypt generating different hashes given the same salt, string, and factor