Summary
BCryptPasswordEncoder causes two passwords, where one is the repetition of the other (e.g. "abc" and "abcabc"), to produce the same hash (assuming the same salt is used).
Details
BCryptPasswordEncoder calls BCrypt.generate(...) without adding a trailing null byte to the password. As mentioned in bcgit/bc-java#393, this causes two passwords where one is the repetition of the other to produce the same hash (assuming the same salt is used). For example:
byte[] salt = new byte[16];
new Random().nextBytes(salt);
System.out.println(HexFormat.of().formatHex(new BCrypt()
.generate(new byte[] {'a', 'b'}, salt, 10)));
System.out.println(HexFormat.of().formatHex(new BCrypt()
.generate(new byte[] {'a', 'b', 'a', 'b'}, salt, 10)));
Summary
BCryptPasswordEncodercauses two passwords, where one is the repetition of the other (e.g. "abc" and "abcabc"), to produce the same hash (assuming the same salt is used).Details
BCryptPasswordEncodercallsBCrypt.generate(...)without adding a trailing null byte to the password. As mentioned in bcgit/bc-java#393, this causes two passwords where one is the repetition of the other to produce the same hash (assuming the same salt is used). For example: