Hacker News new | ask | show | jobs
by philippta 505 days ago
What's the reason behind bcrypt(userId + username + password) rather than just bcrypt(password) ?
2 comments
Tade0 505 days ago
What if two different users have the same password?
link
magicalhippo 505 days ago
Bcrypt is salted[1], so that shouldn't matter?

[1]: https://en.wikipedia.org/wiki/Bcrypt#Description

link
Tade0 505 days ago
Are you sure?

bcrypt stores the salt and retrieves it for comparison - otherwise you wouldn't be able to generate a matching hash.

Consider the case where a user has a very long username and sets their password to their userId + username + password thus recreating the scenario which lead to the incident.

link
magicalhippo 505 days ago
That was not my point. My point was there wouldn't be a hash collision just by two users with the same password due to the salting.
link
Tade0 505 days ago
There's no hash collision here, just two different hashes, each with its own salt, matching the same original phrase.

If you use only the password to generate the cache key, then this password will match regardless of salt, so users with the same password will generate a cache key matching that password.

link
magicalhippo 505 days ago
Yes, that's what I pointed out when you suggested there would be a problem with two different users having the same password.
link
johnisgood 505 days ago
Why would that matter though?
link
ReptileMan 505 days ago
rainbow tables I guess
link