Skip to content

@dfellis /fakery.js
Last active

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Faking bcrypt hashing instead of burning CPU cycles. Doesn't appear to be detectable
var bcrypt = require('bcrypt');
var l = require('lambda-js');
var startTime = new Date();
var password = 'thisIsAFakePassword!!!!1';
const RUNS = 100;
var mean, stddev, rawTimes = [];
for(var i = 0; i < RUNS; i++) {
var time1 = new Date();
var salt = bcrypt.genSaltSync(10);
var hash = bcrypt.hashSync(password, salt).substr(salt.length);
rawTimes[i] = new Date() - time1;
}
mean = (new Date() - startTime) / RUNS;
stddev = Math.sqrt(rawTimes
.map(l('mean, val', 'val - mean').bind(this, mean))
.map(l('val', 'val*val'))
.reduce(l('sum, val', 'sum + val'), 0) / (RUNS - 1));
console.log('Real bcrypting time per password: ' + mean + ' +/- ' + stddev);
var startFake = new Date(), fakeRuns = 0, fakeMean, fakeStddev, fakeRawTimes = [];
for(var i = 0; i < RUNS; i++) {
var time2 = new Date();
setTimeout(function(time2, i) {
fakeRawTimes[i] = new Date() - time2;
fakeRuns++;
if(fakeRuns === RUNS) {
fakeMean = fakeRawTimes.reduce(l('sum, val', 'sum + val'), 0) / RUNS;
fakeStddev = Math.sqrt(fakeRawTimes
.map(l('mean, val', 'val - mean').bind(this, fakeMean))
.map(l('val', 'val*val'))
.reduce(l('sum, val', 'sum + val'), 0) / (RUNS - 1));
console.log('Apparent bcrypting time for fake hashing: ' + fakeMean + ' +/- ' + fakeStddev);
}
}.bind(this, time2, i), mean);
}
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 96.34 +/- 4.6491011404508535
Apparent bcrypting time for fake hashing: 97.69 +/- 1.4412396459894192
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 94.23 +/- 1.2170090842352461
Apparent bcrypting time for fake hashing: 95.78 +/- 1.618735009290593
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 94.04 +/- 1.247866866765728
Apparent bcrypting time for fake hashing: 94.96 +/- 0.9560017750712506
damocles@moya:~/uber/test$ node test.js
Real bcrypting time per password: 96.14 +/- 4.093996590229173
Apparent bcrypting time for fake hashing: 97.48 +/- 1.4443201189696842
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.