jBCrypt checkpw returns true 即使密码不同
jBCrypt checkpw returns true even though passwords are different
我很确定我一定是做错了什么,但为什么最后两个断言的测试失败了?
两个相对相似但不同的字符串(基本上是 JWT)用另一个的哈希值测试可以吗?
@Test
public void testMoreHashing() {
String longToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IkNZOXJ6VVloMDNQSzNrNkRKaWUwOWc9PSIsIm5iZiI6MTUxMzI4NzAzNCwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM0LCJpYXQiOjE1MTMyODcwMzQsImVtYWlsIjoiYUBiLmNvbSJ9.IYMKztYEIJxzYgHpUDhCHcG22h28OQAsMg7TEMBVYELSczeniwv8IKxgrSBub9Q0X14UT6LnQUu4yeeTofRYH2jRSwW42gfaW5uK8NJQVdluNdZwUsWHVG05gbaSM7ZeS4tH3-SVbUOO3uJ-N2sVcBF5AFLaIAu0GD9CzPU1CjYYc9JiAArztAS5j7pK-xGNTRCKvcoGLa9iG9nhvssTZkPH6kPOJj9RHFo30mgSnPIGSc6040h7n8X7LCUC4qfUe1sOknHomN_RKTQk4Q5FBL1snTyCTxcaErVwvjv__YK9FQ40pDfOboEsSk81CYW6SbqDIdVlyr09VrDzIwJpPA";
String shortToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IlU3bFFoV09TUDBmMDdOZ1BWTkd3d0E9PSIsIm5iZiI6MTUxMzI4NzAzNSwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM1LCJpYXQiOjE1MTMyODcwMzUsImVtYWlsIjoiYUBiLmNvbSJ9.";
String longTokenHash = BCrypt.hashpw(longToken, BCrypt.gensalt(13));
assertTrue(BCrypt.checkpw(longToken, longTokenHash));
String shortTokenHash = BCrypt.hashpw(shortToken, BCrypt.gensalt(13));
assertTrue(BCrypt.checkpw(shortToken, shortTokenHash));
assertFalse(longToken.equalsIgnoreCase(shortToken));
assertFalse(longTokenHash.equalsIgnoreCase(shortTokenHash));
assertFalse(longToken.contains(shortToken));
assertFalse(BCrypt.checkpw(longToken, shortTokenHash));
assertFalse(BCrypt.checkpw(shortToken, longTokenHash));
}
从我的 pom.xml 复制的 jBCrypt 的使用版本是
<dependency>
<groupId>de.svenkubiak</groupId>
<artifactId>jBCrypt</artifactId>
<version>0.4</version>
</dependency>
junit 是 4.12 版
感谢您的帮助:)
正如@tadman 所指出的,所使用的河豚算法将密码截断为 72 个字符,所使用密码的差异仅从 79 开始。
另见 https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length
我很确定我一定是做错了什么,但为什么最后两个断言的测试失败了?
两个相对相似但不同的字符串(基本上是 JWT)用另一个的哈希值测试可以吗?
@Test
public void testMoreHashing() {
String longToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IkNZOXJ6VVloMDNQSzNrNkRKaWUwOWc9PSIsIm5iZiI6MTUxMzI4NzAzNCwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM0LCJpYXQiOjE1MTMyODcwMzQsImVtYWlsIjoiYUBiLmNvbSJ9.IYMKztYEIJxzYgHpUDhCHcG22h28OQAsMg7TEMBVYELSczeniwv8IKxgrSBub9Q0X14UT6LnQUu4yeeTofRYH2jRSwW42gfaW5uK8NJQVdluNdZwUsWHVG05gbaSM7ZeS4tH3-SVbUOO3uJ-N2sVcBF5AFLaIAu0GD9CzPU1CjYYc9JiAArztAS5j7pK-xGNTRCKvcoGLa9iG9nhvssTZkPH6kPOJj9RHFo30mgSnPIGSc6040h7n8X7LCUC4qfUe1sOknHomN_RKTQk4Q5FBL1snTyCTxcaErVwvjv__YK9FQ40pDfOboEsSk81CYW6SbqDIdVlyr09VrDzIwJpPA";
String shortToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IlU3bFFoV09TUDBmMDdOZ1BWTkd3d0E9PSIsIm5iZiI6MTUxMzI4NzAzNSwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM1LCJpYXQiOjE1MTMyODcwMzUsImVtYWlsIjoiYUBiLmNvbSJ9.";
String longTokenHash = BCrypt.hashpw(longToken, BCrypt.gensalt(13));
assertTrue(BCrypt.checkpw(longToken, longTokenHash));
String shortTokenHash = BCrypt.hashpw(shortToken, BCrypt.gensalt(13));
assertTrue(BCrypt.checkpw(shortToken, shortTokenHash));
assertFalse(longToken.equalsIgnoreCase(shortToken));
assertFalse(longTokenHash.equalsIgnoreCase(shortTokenHash));
assertFalse(longToken.contains(shortToken));
assertFalse(BCrypt.checkpw(longToken, shortTokenHash));
assertFalse(BCrypt.checkpw(shortToken, longTokenHash));
}
从我的 pom.xml 复制的 jBCrypt 的使用版本是
<dependency>
<groupId>de.svenkubiak</groupId>
<artifactId>jBCrypt</artifactId>
<version>0.4</version>
</dependency>
junit 是 4.12 版
感谢您的帮助:)
正如@tadman 所指出的,所使用的河豚算法将密码截断为 72 个字符,所使用密码的差异仅从 79 开始。 另见 https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length