npm package bcrypt compare function no need salt question All In One
Why bcrypt.compare function no need to use salt, when compare with origin password?
https://github.com/kelektiv/node.bcrypt.js/discussions/972
salt default 10
https://github.com/kelektiv/node.bcrypt.js/issues/963#issuecomment-1272338945
jwt signature
https://github.com/kelektiv/node.bcrypt.js/issues/935#issuecomment-1159411386
Per bcrypt implementation, only the first 72 bytes of a string are used.
Any extra bytes are ignored when matching passwords.
Note that this is not the first 72 characters.
It is possible for a string to contain less than 72 characters, while taking up more than 72 bytes
(e.g. a UTF-8 encoded string containing emojis).
demo
{
"dependencies": {
"bcrypt": "3.0.6",
}
}
Why bcrypt.compare function no need to use salt, when compare with origin password?
// hash-salt-test.js
const bcrypt = require('bcrypt');
const hash = async function (password, salt = 10) {
// 默认值 10
console.log(`❓salt =`, salt);
const hashed = await bcrypt.hash(password, salt);
return hashed;
}
const check = async function (password, hashed) {
const result = await bcrypt.compare(password, hashed);
return result;
}
const test = async function (salt = 10) {
// password length is 10 ✅, less than 72 bytes ❓
const pwd = 'pwd1234567';
const hashed = await hash(pwd, salt);
const result = await check(pwd, hashed);
console.log(`\nhash with salt`, hashed);
console.log(`result =`, result);
}
test();
test(5);
test(11);
test(15);
test(17);
/*
$ node ./hash-salt-test.js
❓salt = 10
❓salt = 5
❓salt = 11
❓salt = 15
❓salt = 17
hash with salt $2b$05$.zICWxt0wAjGb58kIN6GwekMtP5jUeYD34/wqfE17yYqZ3rO43RV.
result = true
hash with salt $2b$10$PPJdjtaboGieRgk1p86bsuCHIqmiFhqaRGwHrpVs5/dZ3ZLC8b33m
result = true
hash with salt $2b$11$Y.Ozy9S5gtZUR1XD3egrGeZ1H8HmPOUqBDochpGM5pLCIP2tk38Xa
result = true
hash with salt $2b$15$UBGFkZRAxGgMMTaRDmxJ1eTgCBM.ovvESEyJJwrGeIpk/Vw3NPFkC
result = true
hash with salt $2b$17$zyjemy4KDsQDO8Q2kCgYeeW/FsG3kiWp0hXl4t.o8GUWrWjA4.R.S
result = true
*/
https://www.npmjs.com/package/bcrypt
https://github.com/kelektiv/node.bcrypt.js
https://github.com/nodejs/node-gyp
https://en.wikipedia.org/wiki/Bcrypt
js get string bytes length
// js get string bytes length ✅
(() => {
const len = unescape(encodeURIComponent(`pwd1234567`)).length;
console.log(`bytes =`, len);
// 10
})();
// The signature '(string: string): string' of 'unescape' is deprecated.ts(6387)
(() => {
const len = new TextEncoder().encode(`pwd1234567`).length;
console.log(`bytes =`, len);
// 10
})();
// (() => {
// let size = new Blob(['pwd1234567']).size;
// console.log(`bytes =`, size);
// // 10
// })();
// Node.js v16 ❌ ReferenceError: Blob is not defined
// @since — v18.0.0
// https://nodejs.org/api/buffer.html#class-blob
(() => {
const bytes = Buffer.byteLength(`pwd1234567`, 'utf8');
console.log(`UTF-8 bytes =`, bytes);
// 10
})();
(() => {
const bytes = Buffer.byteLength(`pwd1234567`, 'utf16');
console.log(`UTF-16 bytes =`, bytes);
// 10
})();
https://www.cloudhadoop.com/string-size-bytes-javascript/
https://www.geeksforgeeks.org/how-to-get-the-length-of-a-string-in-bytes-in-javascript/
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/length
blogs
https://www.monterail.com/blog/more-secure-passwords-bcrypt
https://codahale.com/how-to-safely-store-a-password/
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
https://github.com/OWASP/CheatSheetSeries
https://github.com/web-full-stack/CheatSheetSeries/tree/master/cheatsheets
https://github.com/web-full-stack/CheatSheetSeries/issues/1