Auth0 Home Blog Docs

Are there plans to support the $2y$ bcrypt function?

bcrypt

#1

While working on a database connector I discovered that the Auth0 bcrypt function doesn’t support the current $2y$ hash format and instead supports the older $2a$ hash format. Does anyone know if there will be an update to allow for $2y$ hashes? Luckily, it turns out that the $2y$ format is compatible in the generated hashes if you change $2y$ to $2a$ so I added the following code in my Auth0 login script:

// PHP created bcrypt passwords are $2y$ but this system only
// accepts the older $2a$ format. Luckily, they are the same
// algorithm $2y$ fixes a 8bit sign issue]
if (user.password[2] == 'y') {
  user.password = user.password.substring(0, 2) + 'a' + user.password.substring(3);
}
bcrypt.compare(password, user.password, function (err, isValid) {

#2

You should do a general online search about this, but what comes to play here is not technically older versions of bcrypt. In addition, bcrypt module that can be used in your scripts is just an NPM Node module that can be used by default so the same would apply to any Node code even outside of Auth0.

The source of the different prefixes seems to come from a PHP implementation which at one point had bugs and then decided to use the prefix as a way to distinguish between hashes generated from buggy and non-buggy version. You’re now using these hashes outside of the PHP implementation so you’ll need to adjust the hashes manually to take that under consideration.

As mentioned, you can research more about this online, but you can start with:


#3

I should have done more digging. I thought it was a generic issue with the bcrypt algorithm, not that it was specific to a PHP implementation. Thanks for clarifying that for me.


#4