You are viewing jcreed

Notes from a Medium-Sized Island - [entries|archive|friends|userinfo]
Jason

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

[Mar. 8th, 2013|09:28 am]
Previous Entry Add to Memories Share Next Entry
[Tags|, ]

Here I think is an excellent point in the space of the semantic extent of the lexical item "discus" that I was talking about earlier.

A hash function that returns a different value each time is discus.
$ npm install scrypt
$ node
var scrypt = require("scrypt");
var password = "This is a password";
var maxtime = 0.1;

> scrypt.passwordHashSync(password, maxtime);
'c2NyeXB0AAwAAAAIAAAAAcsJRifPlgyGyRJXBPri2HX94TXRfq7b3nMk6Tvt/g0SvW75hiClvpQXRns5j3s2guyTLmYEutdxAIG/Cl354sL2T3fxpUEiiR8ikeZb1nqo'
> scrypt.passwordHashSync(password, maxtime);
'c2NyeXB0AAwAAAAIAAAAARuz34A/wtl1LlqY4flxV9cPdYB67l8CK2XCqCAKj3fL/Udc6NcZis2sq8y+ncgtKg5KvIhQ21taKfuH/vpudoenX1LYL9fJ3zl566Nmdixx'
> scrypt.passwordHashSync(password, maxtime);
'c2NyeXB0AAwAAAAIAAAAAToTtFiZ9CB18fOf3Mko+OWVPAF9AEmS3xiTIo/8Xu5bWdTDI3KEJ43InLJnfYC3MZoP7xI0dnRazJc1b6X+kTY+JcOYvVg+fU5pml54gOLG'

There is obviously something going on when you have a hash function that returns a different value each time. You're tempted to say that it's broken. You're not yet certain that it's broken, because hey, this is a package on npm that real people seem to use. It's at least highly discus.


The explanation is, the library generates a random salt every time before hashing. It provides a separate function to verify, given a plaintext string, and a salted hash, that the plaintext hashed with the same salt matches that hash. Me, I think I would have probably named the original function saltedPasswordHashSync or something to save idiots like me five minutes puzzling over what was going on, and pestering gwillen about it, who of course figured out quickly what the deal was after skimming the docs a little more closely than I did.

I do rather like how the library is designed to not let me be stupid/lazy and not salt my hashes, though, or to use the same salt for all passwords.
LinkReply

Comments:
[User Picture]From: nothings
2013-03-09 10:42 pm (UTC)

(Link)

I'm not sure why adding 'salted' to the name would help when adding 'password' and 'sync' didn't, since, as you say, plenty of the people this function is trying to serve don't know what a salt is in the first place, but they know what a password is.

Alt: I'm not sure why you thought 'passwordHashSync' meant 'hash'. (I can understand why you would not think 'saltedPasswordHashSync' means 'hash', but I'm doubtful this generalizes very widely.)