search

kelektiv / node.bcrypt.js

bcrypt for NodeJs
MIT License
7.49k stars 518 forks source link

Inconsistent results from bcrypt.compare #885

Closed amsaid1989 closed 3 years ago

amsaid1989 commented 3 years ago

I am testing bcrypt because I want to use for one of my projects, but I am getting inconsistent results from bcrypt.compare function. When I compare the hash with the correct password, sometimes the result of the comparison would be false. This seems to happen if I am comparing multiple passwords, one after the other, to check which of them matches the hash.

Here is the code I am using (stripped from the error handling code for simplification):

import bcrypt from "bcrypt";

const password1 = "testing123";
const password2 = "hello-world";

const saltRounds = 10;

bcrypt.genSalt(saltRounds, function (err, salt) {
    bcrypt.hash(password1, saltRounds, function (err, hash) {
        console.log(hash);

        bcrypt.compare(password1, hash, function (err, result) {
            console.log(result);
        });

        bcrypt.compare(password2, hash, function (err, result) {
            console.log(result);
        });
    });
});

And here is the output from a couple of runs of the code:

$2b$10$L6AqGkRfKG02vs31PzaKIuDpT9jKlvgM6Kr0SaTAm34tRGagDtCv6
false
true

$2b$10$kTAZaSCx6DGK0U8i5cV29e7F9mZqSu.LTyc7fJmAkGlx2JJvrPd6O
false
true

$2b$10$mpHpPSzI2jSkpO7QBQBseuPeQHUJBs9QPjT/qi5Wfp59zJ2oQdr/y
true
false

$2b$10$hoohc4BgArKmXTu5ko7PmOC404l1KfHg539J/IRYb0Po6WO8lc9P2
true
false

$2b$10$PZMdfqHhCsPx4uC47gGfyueD/ec2AKLE/D5ByIUPfsR6vgfDjN0DW
true
false

As you can see, the comparison with password1 sometimes returns false.

If I remove the comparison with password2, things seem to work properly.

Code

import bcrypt from "bcrypt";

const password1 = "testing123";

const saltRounds = 10;

bcrypt.genSalt(saltRounds, function (err, salt) {
    bcrypt.hash(password1, saltRounds, function (err, hash) {
        console.log(hash);

        bcrypt.compare(password1, hash, function (err, result) {
            console.log(result);
        });
    });
});

Output

$2b$10$hZEp7jdcpKbMeXJTV7BAaOnHs.bkHoNnQTH8pwErwTpoyw0.jqERW
true

$2b$10$eSdB/yjS2SAFYKemVSDaMOt2K46QIDbFr/M6rT/KI1XrCR833OfIq
true

$2b$10$BYjVnAO./8948EGKI7bUQu85UP9YfLsndjFh8orCalKPA6tgQvT6K
true

$2b$10$FHZwQTVpKzUyre/8hFkOaObEKhUhGYE44VxjD9UylRqocKo/pCixe
true

$2b$10$oUSSMWGk78K5n/VKEoNGwe2RhiWzEm1Fdw/JedHmr9a0OXzIR55ue
true

I checked previous issues that reported the same behavior, but none of them helped me figure out what is causing the issue.

What am I missing here?

Here is my system information: Fedora 34 Workstation bcrypt 5.0.1 node 14.17.0

All the dependencies mentioned for bcrypt on Fedora are installed.

scttnlsn commented 3 years ago

The 2 bcrypt.compare callbacks are likely completing in a different, nondeterministic order each time. Try this instead:

bcrypt.compare(password1, hash, function (err, result) {
  console.log(result);

  bcrypt.compare(password2, hash, function (err, result) {
    console.log(result);
  });
});
amsaid1989 commented 3 years ago

Thanks @scttnlsn. That was it.. not sure why that didn't come to my mind, when it is that simple. In hindsight, it makes a lot of sense.

Thank you very much.