Skip to content

Instantly share code, notes, and snippets.



Last active Oct 4, 2020
What would you like to do?
bcrypt-nodejs bug - Invalid salt revision

Bug - Invalid salt revision

Whenever I ran compareSync(password, passwordHash) I would see the error

Invalid salt revision

What did it mean? Where did it come from?

This is the code in the library bcrypt-nodejs

minor = salt.charAt(2);
if (minor != 'a' || salt.charAt(3) != '$')
  throw "Invalid salt revision";
off = 4;

That means it is looking for the letter a in the index 2 position. I checked the password hash and saw that all of mine started with $2b. What is the difference between $2a and $2b? Its a long story that includes many other $2<letter> versions but long story short, reseachers may discover bugs in implementations and will use this lettering to distinguish between older and newer implementations

So bcrypt-nodejs is old.


bcrypt-nodejs is no longer maintained - DO NOT USE IT Instead use bcryptjs Ask your users to create new passwords OR if you havent launched, create new passwords using bcryptjs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment