Last active

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Faking bcrypt hashing instead of burning CPU cycles. Doesn't appear to be detectable

View fakery.js
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
var bcrypt = require('bcrypt');
var l = require('lambda-js');
 
var startTime = new Date();
var password = 'thisIsAFakePassword!!!!1';
const RUNS = 100;
 
var mean, stddev, rawTimes = [];
 
for(var i = 0; i < RUNS; i++) {
var time1 = new Date();
var salt = bcrypt.genSaltSync(10);
var hash = bcrypt.hashSync(password, salt).substr(salt.length);
rawTimes[i] = new Date() - time1;
}
 
mean = (new Date() - startTime) / RUNS;
 
stddev = Math.sqrt(rawTimes
.map(l('mean, val', 'val - mean').bind(this, mean))
.map(l('val', 'val*val'))
.reduce(l('sum, val', 'sum + val'), 0) / (RUNS - 1));
 
console.log('Real bcrypting time per password: ' + mean + ' +/- ' + stddev);
 
var startFake = new Date(), fakeRuns = 0, fakeMean, fakeStddev, fakeRawTimes = [];
 
for(var i = 0; i < RUNS; i++) {
var time2 = new Date();
setTimeout(function(time2, i) {
fakeRawTimes[i] = new Date() - time2;
fakeRuns++;
if(fakeRuns === RUNS) {
fakeMean = fakeRawTimes.reduce(l('sum, val', 'sum + val'), 0) / RUNS;
fakeStddev = Math.sqrt(fakeRawTimes
.map(l('mean, val', 'val - mean').bind(this, fakeMean))
.map(l('val', 'val*val'))
.reduce(l('sum, val', 'sum + val'), 0) / (RUNS - 1));
console.log('Apparent bcrypting time for fake hashing: ' + fakeMean + ' +/- ' + fakeStddev);
}
}.bind(this, time2, i), mean);
}
View fakery.js
1 2 3 4 5 6 7 8 9 10 11 12
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 96.34 +/- 4.6491011404508535
Apparent bcrypting time for fake hashing: 97.69 +/- 1.4412396459894192
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 94.23 +/- 1.2170090842352461
Apparent bcrypting time for fake hashing: 95.78 +/- 1.618735009290593
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 94.04 +/- 1.247866866765728
Apparent bcrypting time for fake hashing: 94.96 +/- 0.9560017750712506
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 96.14 +/- 4.093996590229173
Apparent bcrypting time for fake hashing: 97.48 +/- 1.4443201189696842
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.