BCrypt says long, similar passwords are equivalent - problem with me, the gem, or the field of cryptography?

Question

I\'ve been experimenting with BCrypt, and found the following. If it matters, I\'m running ruby 1.9.2dev (2010-04-30 trunk 27557) [i686-linux]

require \'bcry         


        

Answer 1

Blowfish's P-array is 18 4-byte integers long. BCrypt XORs this array by the password + null, then repeats the procedure until it gets to the end. Say my password was 12345, it would XOR the P-array by 12345(null)12345(null)12345(null), etc...

A full description of EksBlowfish is here. The short version is, BCrypt only uses the first 72 bytes.