Use Windows CryptGenRandom function instead of RandomRange #3

New Issue

Open

opened 2016-04-26 11:05:17 -07:00 by sikofitt · 1 comment

sikofitt commented

2016-04-26 11:05:17 -07:00

(Migrated from github.com)

Use Windows CryptGenRandom function instead of RandomRange on line #L567 for Windows Platforms.

If you are generating passwords faster than .5 seconds, the salt will duplicate every other round. Hopefully nobody is generating mass password hashes from the same password. Can't think of a use case. (I'm sure there is one).

This is only affected if you generate a hash for the same password.

for i:= 0 to 10 do 
  begin
    TBCryptHash.CreateHash('password');
  end;

This will output something like :

  '$2y$10$kJgRFQ993paFLArmPE3gn.8yuUB/SRpaEw7lkJJ1oVqhWVIecI5nO'
  '$2y$10$kJgRFQ993paFLArmPE3gn.n9OJBeYd77RdOYnkdp9orILyaa5jDb6'
  '$2y$10$onWrpSgN3URAnmBJZkpqieH1QwbkDe5.RXInCYJG9MCtXL0yH6rxe'

Use Windows [CryptGenRandom](http://rgbbs.net/CryptGenRandom) function instead of RandomRange on line [#L567](https://github.com/renegadebbs/pascal_bcrypt/blob/master/BCrypt.pas#L567) for Windows Platforms. If you are generating passwords faster than .5 seconds, the salt will duplicate every other round. Hopefully nobody is generating mass password hashes from the same password. Can't think of a use case. (I'm sure there is one). **_This is only affected if you generate a hash for the same password._** ``` pascal for i:= 0 to 10 do begin TBCryptHash.CreateHash('password'); end; ``` This will output something like : ``` pascal '$2y$10$kJgRFQ993paFLArmPE3gn.8yuUB/SRpaEw7lkJJ1oVqhWVIecI5nO' '$2y$10$kJgRFQ993paFLArmPE3gn.n9OJBeYd77RdOYnkdp9orILyaa5jDb6' '$2y$10$onWrpSgN3URAnmBJZkpqieH1QwbkDe5.RXInCYJG9MCtXL0yH6rxe' ```

sikofitt commented

2017-08-09 07:50:52 -07:00

(Migrated from github.com)

This repo is no longer being updated. See BCrypt in https://github.com/renegadebbs/Renegade.Hash