The joys of bcrypt
I had the joy of coming across Bcrypt the other week, a pretty neat way of storing individually hashed passwords within a single table, each with a differing salt.
The salt, algorithm and number of hashing iterations is stored, written within the outputted hash, so anyone who’s able to interpret those elements can then use the hashed content to verify a single password against it.
I had a need to sort this within Lucee (open source cold fusion), and so I went looking for an extension tag or similar to use for the base library. I found this one: https://github.com/boughtonp/cfpassphrase/ which has been around for a while and managed to get it to work across all of our test subject’s passwords.
The algorithms have changed over the years, and this doesn’t implement a fix to some ambiguity which was discovered a good number of years ago. Apparently there are some mathematical cases where a single password may end up creating two differing outputs, and this change to the algorithm apparently fixed it to just one of those two outcomes. This library doesn’t appear to have had that fix applied. I guess if I ever hear that certain specific people can’t login, then I’ll need to address that issue then.