x/crypto/bcrypt: GenerateFromPassword returns nil error on empty password #42230
Comments
dmitshur
changed the title
|
As I understand, there are no restrictions on the password input to |
dmitshur
added
the
NeedsInvestigation
|
Unfortunately there isn't really a bcrypt specification, all we have to go off is the original paper from the OpenBSD folks, which doesn't specify what you do in this case, and other implementations. The OpenBSD libc implementation appears to accept empty input, and can probably be considered the reference implementation. PHP does the same thing, and is likely the place where bcrypt is most often used in the wild. I don't think there is a particularly strong security argument to reject empty inputs, but there is perhaps a UX one to be made. Given we appear to match the community implementation consensus on this matter though, I would lean towards just saying this works as intended. |
|
Not the safest interface, but I think here backwards compatibility and matching the ecosystem are good enough reasons not to make a change. |
I just found out that if I use nil slice or empty string to generate bcrypt hash, bcrypt will simply generate one without complaining. I would expect to get error but nope, I just get a real hash. This bit me while creating API layer and my front-end did not properly map fields and I was getting empty passwords but all requests just passed so I ended up with new users in db with random passwords. Luckily it was just testing in development.
Example
https://play.golang.org/p/DBnWUjn0YPX
The text was updated successfully, but these errors were encountered: