Skip to content

Instantly share code, notes, and snippets.

@theptrk

theptrk/bcrypt-nodejs.md

Last active October 4, 2020 09:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save theptrk/426ac6d4c15b70018380f04fb9c496c5 to your computer and use it in GitHub Desktop.
Save theptrk/426ac6d4c15b70018380f04fb9c496c5 to your computer and use it in GitHub Desktop.
Download ZIP
bcrypt-nodejs bug - Invalid salt revision
Raw
bcrypt-nodejs.md

Bug - Invalid salt revision

Whenever I ran compareSync(password, passwordHash) I would see the error

Invalid salt revision

What did it mean? Where did it come from?

This is the code in the library bcrypt-nodejs

minor = salt.charAt(2);
if (minor != 'a' || salt.charAt(3) != '$')
  throw "Invalid salt revision";
off = 4;

That means it is looking for the letter a in the index 2 position. I checked the password hash and saw that all of mine started with $2b. What is the difference between $2a and $2b? Its a long story that includes many other $2<letter> versions but long story short, reseachers may discover bugs in implementations and will use this lettering to distinguish between older and newer implementations

So bcrypt-nodejs is old.

TLDR

bcrypt-nodejs is no longer maintained - DO NOT USE IT Instead use bcryptjs Ask your users to create new passwords OR if you havent launched, create new passwords using bcryptjs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment