Jason (jcreed) wrote,
Jason
jcreed

Here I think is an excellent point in the space of the semantic extent of the lexical item "discus" that I was talking about earlier.

A hash function that returns a different value each time is discus.
$ npm install scrypt
$ node
var scrypt = require("scrypt");
var password = "This is a password";
var maxtime = 0.1;

> scrypt.passwordHashSync(password, maxtime);
'c2NyeXB0AAwAAAAIAAAAAcsJRifPlgyGyRJXBPri2HX94TXRfq7b3nMk6Tvt/g0SvW75hiClvpQXRns5j3s2guyTLmYEutdxAIG/Cl354sL2T3fxpUEiiR8ikeZb1nqo'
> scrypt.passwordHashSync(password, maxtime);
'c2NyeXB0AAwAAAAIAAAAARuz34A/wtl1LlqY4flxV9cPdYB67l8CK2XCqCAKj3fL/Udc6NcZis2sq8y+ncgtKg5KvIhQ21taKfuH/vpudoenX1LYL9fJ3zl566Nmdixx'
> scrypt.passwordHashSync(password, maxtime);
'c2NyeXB0AAwAAAAIAAAAAToTtFiZ9CB18fOf3Mko+OWVPAF9AEmS3xiTIo/8Xu5bWdTDI3KEJ43InLJnfYC3MZoP7xI0dnRazJc1b6X+kTY+JcOYvVg+fU5pml54gOLG'

There is obviously something going on when you have a hash function that returns a different value each time. You're tempted to say that it's broken. You're not yet certain that it's broken, because hey, this is a package on npm that real people seem to use. It's at least highly discus.


The explanation is, the library generates a random salt every time before hashing. It provides a separate function to verify, given a plaintext string, and a salted hash, that the plaintext hashed with the same salt matches that hash. Me, I think I would have probably named the original function saltedPasswordHashSync or something to save idiots like me five minutes puzzling over what was going on, and pestering gwillen about it, who of course figured out quickly what the deal was after skimming the docs a little more closely than I did.

I do rather like how the library is designed to not let me be stupid/lazy and not salt my hashes, though, or to use the same salt for all passwords.
Tags: discus, programming
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments