Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Enhanced Entropy: sha384 and NUL bytes
See original GitHub issueHello,
I was reading this article (which actually recommend this library) about using bcrypt for password hashing.
It suggests to pass the password through SHA384 before using bcrypt in order to circumvent the bcrypt limitation.
I was glad to find that your library implemented it through the enhancedEntropy parameter.
However, looking at the code, I couldn’t find any mention of base64 encoding after the SHA384 and prior bcrypt.
base64 is suggested in the article because:
Bcrypt truncates on NUL bytes.
And
A base64-encoded hash is guaranteed to not contain NUL bytes
Thanks for your insight.
EDIT Adding some reference implementation seen elsewhere: In PasswordLock PHP library, they effectively perform base64 after sha384. In passlib Python library, they also perform base64 after sha256.
Issue Analytics
- State:
- Created 5 years ago
- Comments:13
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Alright. Looking forward the new version. Thanks!
Since you are adding sha512, maybe also add an option to add sha256 for interoperability with other lib (such as Passlib)? I don’t know if it’s worth it actually…
Anyway, I’m glad we were able to work things out and that everything is OK and secure 😄 Thanks for actively maintaining this lib. You’re doing an awesome job.