Trailing underscores are not accounted for.

[savoygrizzly]

When using bcrypt.compare(password, user.password) with the original hashed user.password being something and the supplied password being something__ or something_, bcrypt.compare will return true.

Just wondering if this is intended behavior, if it is I'd consider this VERY bad practice.

[dcodeIO]

The following works as expected and does not return true:

var hash = bcryptjs.hashSync("something");
var result = bcryptjs.compareSync("something_", hash);
console.log(result); // logs false

Note, though, that the maximum input length is 72 bytes as explained in the README, so if the input is longer than that, remaining bytes are truncated, which might explain the behavior.