Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Argon2i encoder can validate BCrypt encoded passwords and vice versa #29827

Closed
julienfalque opened this issue Jan 9, 2019 · 4 comments
Closed

Argon2i encoder can validate BCrypt encoded passwords and vice versa #29827

julienfalque opened this issue Jan 9, 2019 · 4 comments
Labels
Security

Comments

@julienfalque
Copy link
Contributor

Argon2iPasswordEncoder and BCryptPasswordEncoder both validate passwords using the password_verify() function without checking the hash type first. As the function can infer the type from the given hash, this means both encoders are able to validate any hash whose type can be infered.

In other words, Argon2iPasswordEncoder can validate BCrypt encoded passwords and BCryptPasswordEncoder can validate Argon2i encoded passwords. IMO this is not a bug but it's not really expected either. WDYT?
@xabbuh xabbuh added the Security label Jan 9, 2019
@stof
Copy link
Member

stof commented Jan 9, 2019

I would say that we don't really care about that implementation detail.

@chalasr
Copy link
Member

chalasr commented Jan 10, 2019

I agree with @stof.

@xabbuh
Copy link
Member

xabbuh commented Jan 10, 2019

I agree as well. Though one should not rely on it to always work in the future.

@xabbuh xabbuh closed this as completed Jan 10, 2019
@PhilETaylor PhilETaylor mentioned this issue Mar 12, 2019
Merged
@PhilETaylor
Copy link
Contributor

#29863 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@PhilETaylor @stof @julienfalque @xabbuh @chalasr