How does matches from BCryptPasswordEncoder.class java work?

P

P_Alexander2020-03-19 00:02:50

Java

P_Alexander, 2020-03-19 00:02:50

Hello everyone, digging into BCryptPasswordEncoder some point is not clear to me, namely:
Example

@Test
    public void matchesTwoPassTest() {
        boolean resultOne = false;
        boolean resultTwo = false;
        boolean resultThree = false;
        String one = "alex";
        String two = "alex";
        String three = "alex";
        String oneEnc = "";
        String twoEnc = "";
        oneEnc = bCryptPasswordEncoder.encode(one);
        twoEnc = bCryptPasswordEncoder.encode(two);
        resultOne = bCryptPasswordEncoder.matches(two, oneEnc);
        resultTwo = bCryptPasswordEncoder.matches(one, twoEnc);
        resultThree = bCryptPasswordEncoder.matches(three, twoEnc);
        logger.debug(one +  " ONE ENCODE STRING " + oneEnc);
        logger.debug(two +  " TWO ENCODE STRING " + twoEnc);
        logger.debug("result : " + resultOne);
        logger.debug("result : " + resultTwo);
        assertTrue(resultOne);
        assertTrue(resultTwo);
        assertTrue(resultThree);
    }

Hashes of two identical variables one, two are different!
In the matches method, I put a hash from another variable, but it returns TRU!
Silly question but still not clear, does he have some kind of buffer there or what?
If it hashes with a random salt, then in the line of calling the matches method, even if you put the string from which the hash is, then there will be a different hash there, since it will hash the raw string again!
If anyone knows, please explain how it works! Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

mayton2019, 2020-03-19
@P_Alexander

According to the documentation, the encoder accepts an 8-byte random salt. It has no effect on the matcher.
Apparently that's how it's meant to be.