jbcrypt

jBCrypt checkpw returns true even though passwords are different

I'm pretty much sure I must be doing something completely wrong, but why is this test failing for the last two assertions?

Two relatively similar, but nevertheless different Strings (basically JWT) test ok with the hashes of the other?

@Test
public void testMoreHashing() {

    String longToken =  "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IkNZOXJ6VVloMDNQSzNrNkRKaWUwOWc9PSIsIm5iZiI6MTUxMzI4NzAzNCwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM0LCJpYXQiOjE1MTMyODcwMzQsImVtYWlsIjoiYUBiLmNvbSJ9.IYMKztYEIJxzYgHpUDhCHcG22h28OQAsMg7TEMBVYELSczeniwv8IKxgrSBub9Q0X14UT6LnQUu4yeeTofRYH2jRSwW42gfaW5uK8NJQVdluNdZwUsWHVG05gbaSM7ZeS4tH3-SVbUOO3uJ-N2sVcBF5AFLaIAu0GD9CzPU1CjYYc9JiAArztAS5j7pK-xGNTRCKvcoGLa9iG9nhvssTZkPH6kPOJj9RHFo30mgSnPIGSc6040h7n8X7LCUC4qfUe1sOknHomN_RKTQk4Q5FBL1snTyCTxcaErVwvjv__YK9FQ40pDfOboEsSk81CYW6SbqDIdVlyr09VrDzIwJpPA";
    String shortToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJCTFVCQl9BVURJRU5DRSIsInN1YiI6IlU3bFFoV09TUDBmMDdOZ1BWTkd3d0E9PSIsIm5iZiI6MTUxMzI4NzAzNSwiaXNzIjoiSVNTVUVSIiwiZXhwIjoxNTE4NDcxMDM1LCJpYXQiOjE1MTMyODcwMzUsImVtYWlsIjoiYUBiLmNvbSJ9.";

    String longTokenHash = BCrypt.hashpw(longToken, BCrypt.gensalt(13));
    assertTrue(BCrypt.checkpw(longToken, longTokenHash));

    String shortTokenHash = BCrypt.hashpw(shortToken, BCrypt.gensalt(13));
    assertTrue(BCrypt.checkpw(shortToken, shortTokenHash));

    assertFalse(longToken.equalsIgnoreCase(shortToken));
    assertFalse(longTokenHash.equalsIgnoreCase(shortTokenHash));
    assertFalse(longToken.contains(shortToken));

    assertFalse(BCrypt.checkpw(longToken, shortTokenHash));
    assertFalse(BCrypt.checkpw(shortToken, longTokenHash));
}

the used version of jBCrypt as copied from my pom.xml is

<dependency>
    <groupId>de.svenkubiak</groupId>
    <artifactId>jBCrypt</artifactId>
    <version>0.4</version>
</dependency>

junit is version 4.12

Thanks for helping :)

Solution

  • as @tadman pointed out, the used blowfish algorithm is truncating passwords at 72 characters, and the differences in the used passwords only start at 79. see also https://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length