public
Last active

Faking bcrypt hashing instead of burning CPU cycles. Doesn't appear to be detectable

  • Download Gist
fakery.js
JavaScript
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
var bcrypt = require('bcrypt');
var l = require('lambda-js');
 
var startTime = new Date();
var password = 'thisIsAFakePassword!!!!1';
const RUNS = 100;
 
var mean, stddev, rawTimes = [];
 
for(var i = 0; i < RUNS; i++) {
var time1 = new Date();
var salt = bcrypt.genSaltSync(10);
var hash = bcrypt.hashSync(password, salt).substr(salt.length);
rawTimes[i] = new Date() - time1;
}
 
mean = (new Date() - startTime) / RUNS;
 
stddev = Math.sqrt(rawTimes
.map(l('mean, val', 'val - mean').bind(this, mean))
.map(l('val', 'val*val'))
.reduce(l('sum, val', 'sum + val'), 0) / (RUNS - 1));
 
console.log('Real bcrypting time per password: ' + mean + ' +/- ' + stddev);
 
var startFake = new Date(), fakeRuns = 0, fakeMean, fakeStddev, fakeRawTimes = [];
 
for(var i = 0; i < RUNS; i++) {
var time2 = new Date();
setTimeout(function(time2, i) {
fakeRawTimes[i] = new Date() - time2;
fakeRuns++;
if(fakeRuns === RUNS) {
fakeMean = fakeRawTimes.reduce(l('sum, val', 'sum + val'), 0) / RUNS;
fakeStddev = Math.sqrt(fakeRawTimes
.map(l('mean, val', 'val - mean').bind(this, fakeMean))
.map(l('val', 'val*val'))
.reduce(l('sum, val', 'sum + val'), 0) / (RUNS - 1));
console.log('Apparent bcrypting time for fake hashing: ' + fakeMean + ' +/- ' + fakeStddev);
}
}.bind(this, time2, i), mean);
}
results.txt
1 2 3 4 5 6 7 8 9 10 11 12
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 96.34 +/- 4.6491011404508535
Apparent bcrypting time for fake hashing: 97.69 +/- 1.4412396459894192
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 94.23 +/- 1.2170090842352461
Apparent bcrypting time for fake hashing: 95.78 +/- 1.618735009290593
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 94.04 +/- 1.247866866765728
Apparent bcrypting time for fake hashing: 94.96 +/- 0.9560017750712506
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 96.14 +/- 4.093996590229173
Apparent bcrypting time for fake hashing: 97.48 +/- 1.4443201189696842

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.