Trying to use Crystal's Bycrypt library - "invalid salt size"

Question

I'm trying to hash + salt user passwords with the Bcrypt library that ships with Crystal.

The following code produces an "Invalid salt size" error, when run in a playground.

require "crypto/bcrypt"

user = "Jones"
pass = "password"

temp = Crypto::Bcrypt.new(pass, user)

Magnus · Accepted Answer · 2017-07-07T04:55:44.240

4

Use the Crypto::Bcrypt::Password API, don't directly use Crypto::Bcrypt.

You don't use the username in the BCrypt hash generation, the API will use a random value as the salt.

bcryptHash = Crypto::Bcrypt::Password.create("password123")

edited Jul 07 '17 at 04:55

answered Jul 07 '17 at 04:22

Magnus

So basically 'Crypto::Bcrypt::Password.create(user + pass)`? – Jones Jul 07 '17 at 04:24
You only should hash the secret value, no real point in concatenating the username, using a username as a salt is not a good practice in general, but its absolutely pointless with bcrypt, the whole point of bcrypt is that it safely abstracts salt management away from you. – Magnus Jul 07 '17 at 04:59
`hash = Crypto::Bcrypt::Password.new(pass)` results in an index out of bounds error for me. – Jones Jul 07 '17 at 05:05
1

The `new` method is for constructing the object from the serialized bcrypt hash, if you want to create a hash from a password, use the `create` method like the example. – Magnus Jul 07 '17 at 05:22

1 Answers1