I suspect Solar Designer wrote the implementation for John the Ripper with the g... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		marshray on June 14, 2011 \| parent \| context \| favorite \| on: A possible flaw in open-source bcrypt implementati... I suspect Solar Designer wrote the implementation for John the Ripper with the goal of cracking passwords, not validating them properly. For this purpose, slightly-truncated hashes should work just as well (maybe slightly better). If Openwall and py-bcrypt are using JtR code for actually validating them, that's a questionable bit of software engineering. JtR may not be doing the same type of input validation that one would want in your authentication code. More evidence for this suspicion is that the input length disparity the blogger Rondam describes.

djmdjm on June 14, 2011 [–]

No, py-bcrypt uses the reference implementation from OpenBSD.

marshray on June 14, 2011 | [–]

Has anyone looked at the length of the strings on OpenBSD?

djmdjm on June 14, 2011 | | [–]

Yes, py-bcrypt produces identical hashes (it was intended to be compatible)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact