BCrypt says long, similar passwords are equivalent - problem with me, the gem, or the field of cryptography?

Question

I\'ve been experimenting with BCrypt, and found the following. If it matters, I\'m running ruby 1.9.2dev (2010-04-30 trunk 27557) [i686-linux]

require \'bcry         


        

Answer 1

The good news is, the mathematical foundations of encryption haven't been dissolved. :)

The bad news is that there's an 8-bit key length limit in bcrypt.c which is silently failing:

uint8_t key_len, salt_len, logr, minor;

Then later:

key_len = strlen(key) + (minor >= 'a' ? 1 : 0);

What you're passing in for encryption is 263 characters, but it winds up thinking it's only 8. So you're getting comparisons on only the very first part of the strings.

However, it works fine for me when I pare down the length of the long_strings, so if you actually do get a problem in the sub-255-total range that may be related to something else.