undefined | Better HN

0 pointsmagicalhippo1y ago0 comments

Bcrypt is salted[1], so that shouldn't matter?

[1]: https://en.wikipedia.org/wiki/Bcrypt#Description

0 comments

Are you sure?

bcrypt stores the salt and retrieves it for comparison - otherwise you wouldn't be able to generate a matching hash.

Consider the case where a user has a very long username and sets their password to their userId + username + password thus recreating the scenario which lead to the incident.

magicalhippoOP1y ago

That was not my point. My point was there wouldn't be a hash collision just by two users with the same password due to the salting.

Tade01y ago

There's no hash collision here, just two different hashes, each with its own salt, matching the same original phrase.

If you use only the password to generate the cache key, then this password will match regardless of salt, so users with the same password will generate a cache key matching that password.

1 more reply

j / k navigate · click thread line to collapse

0 comments

Tade01y ago

Are you sure?

bcrypt stores the salt and retrieves it for comparison - otherwise you wouldn't be able to generate a matching hash.

Consider the case where a user has a very long username and sets their password to their userId + username + password thus recreating the scenario which lead to the incident.

magicalhippoOP1y ago

That was not my point. My point was there wouldn't be a hash collision just by two users with the same password due to the salting.

Tade01y ago

There's no hash collision here, just two different hashes, each with its own salt, matching the same original phrase.

If you use only the password to generate the cache key, then this password will match regardless of salt, so users with the same password will generate a cache key matching that password.

1 more reply

j / k navigate · click thread line to collapse