Comeonin Bcrypt does not support the 2y prefix?

Question

Comeonin Bcrypt does not support the 2y prefix?

hariharasudhan94 opened this issue 8 years ago · 8 comments

I have a set passwords which have $2y$ prefix. When i trying to check password using Comeonin.Bcrypt.checkpw("hard to guess", stored_hash) , I am getting error like Comeonin Bcrypt does not support the 2y prefix, how can i resolve this issue

Answer 1 · 2017-04-05T15:06:26.000Z

The $2y$ prefix is provided by another version of Bcrypt (not the OpenBSD version), and it's not supported. There's also no plan to support it.

Answer 2 · 2017-04-06T04:30:00.000Z

Is there any other option or libraries, i can try right now?

Answer 3 · 2017-04-16T04:23:25.000Z

I don't know anything in Elixir or Erlang that supports the $2y$ prefix.

Answer 4 · 2017-04-22T08:53:27.000Z

@riverrun as far as I understand, $2y$ does not mark any incompatible algorithm. It is equal to $2a$.

PHP people had a bug in their implementation, and used special prefix $2x$ to mark hashes generated with broken implementation. Then, they decided that it's good idea to introcudce $2y$, to distinguish from possibly broken $2a$ they may have in database, and definitely broken $2x$.

So, in a nutshell, hashes with $2y$ could be treated as $2a$ and we should raise instead on prefix $2x$ that is indeed most likely wrong.

Answer 5 · 2017-04-27T01:41:44.000Z

The $2y$ prefix is part of the Openwall implementation, and according to their bcrypt page, it should be compatible with the $2b$ prefix from the OpenBSD version.

However, before I make any change, I obviously need to do a certain amount of research to decide how best to approach it. At the moment, I don't have the time to do that, but if there is a demand for $2y$ prefix support, I can make the time.

I hope that answers your questions.

Answer 6 · 2017-04-27T13:11:57.000Z

I'm not sure if this should be supported to be fair.

Maybe we simply need better error message saying that this prefix is not supported, and you should replace it with compatible $2b$ one.

Answer 7 · 2017-04-28T07:04:51.000Z

I could look into improving the error message.

Answer 8 · 2018-02-16T05:23:39.000Z

@riverrun

For what it's worth, this works for me:

  Comeonin.Bcrypt.checkpw(password, fix_prefix(password_hash))

  defp fix_prefix("$2y" <> rest), do: "$2b" <> rest
  defp fix_prefix(password_hash), do: password_hash