Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Enhanced Entropy: sha384 and NUL bytes

See original GitHub issue


I was reading this article (which actually recommend this library) about using bcrypt for password hashing.

It suggests to pass the password through SHA384 before using bcrypt in order to circumvent the bcrypt limitation.

I was glad to find that your library implemented it through the enhancedEntropy parameter.

However, looking at the code, I couldn’t find any mention of base64 encoding after the SHA384 and prior bcrypt.

base64 is suggested in the article because:

Bcrypt truncates on NUL bytes.


A base64-encoded hash is guaranteed to not contain NUL bytes

Thanks for your insight.

EDIT Adding some reference implementation seen elsewhere: In PasswordLock PHP library, they effectively perform base64 after sha384. In passlib Python library, they also perform base64 after sha256.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:13

github_iconTop GitHub Comments

Indigo744commented, May 1, 2018

Alright. Looking forward the new version. Thanks!

Indigo744commented, May 1, 2018

Since you are adding sha512, maybe also add an option to add sha256 for interoperability with other lib (such as Passlib)? I don’t know if it’s worth it actually…

Anyway, I’m glad we were able to work things out and that everything is OK and secure 😄 Thanks for actively maintaining this lib. You’re doing an awesome job.

Read more comments on GitHub >

github_iconTop Results From Across the Web -
Enhanced Entropy. The recommended 56 byte password limit (including null termination byte) for bcrypt relates to the 448 bit limit of the Blowfish...
Read more >
Does bcrypt have a maximum password length?
BCrypt is limited to 72 bytes. The original paper also mentions the use of a null terminator. This means you would generally limited...
Read more >
A note about combining SHA512 with bcrypt
Each SHA512 hash has a 25% chance of containing a null byte if you use the raw binary format. Using hex or base64,...
Read more >
Configuring & Understanding OSPF HMAC Authentication
Null is equivalent to no authentication. ... with full entropy. 64 bytes is the minimum for SHA-512 HMAC and this is an acceptable...
Read more >
RFC 5246 – The TLS Protocol Version 1.2
The master secret is expanded into a sequence of secure bytes, which is then split to a client write MAC key, a server...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found