bcrypt nodejs not works as expected

I generated the hash password into my db. In the incoming request I checked my plain input password with hashed password in the db. For example if my input password is XXXX and if add some characters in the middle then bcrypt compare method returns false. But if I add some characters at the last in my input password, my bcrypt compare method returns true. Please help to let me know why this happens.

My code.

const bcrypt = require('bcrypt');
const bcryptTest = async () => {
const input = "kw^#Ko38Q7GusXjd%L?DVXM^CVEF8&9c8L%4GupYcV/DZN3U7GN7Zfyd[Fi&yaNzss"

 //let hashedPassword = await bcrypt.hash(input, 12);
 //Hashed password generated from above
const hashedPassword = "$2b$12$GAFB9ahYHuu.2XQN5fqHoufHQUBuf2a8awNp67hJIN0xP77S5X2tK"
console.log('Hashed Password', hashedPassword);

const plainText = await bcrypt.compare(input, hashedPassword);
console.log(plainText);
}

Answers

Bcrypt docs state that-

*Per bcrypt implementation, only the first 72 bytes of a string are used. Any extra bytes are ignored when matching passwords. Note that this is not the first 72 characters. It is possible for a string to contain less than 72 characters while taking up more than 72 bytes (e.g. a UTF-8 encoded string containing emojis).*

Your input is 74 bytes. So when you add extra char in middle it actually changes the input and it returns false. But extra chars in the end just being ignored.

You can check length with the below code

let ans = Buffer.byteLength("kw^#Ko38Q7GusXjd%L? 
 DVXM^CVEF8&9c8L%4GupYcV/DZN3U7GN7Zfyd[Fi&yaNzss")
 console.log(ans)

Posted on by Sandeep Patel