bcrypt-ruby 72+ character truncation

JoeCode

bcrypt-ruby 72+ character truncation

Feb 06, 2025

Mykola over at their personal blog (n0rdy) recently posted an article on various bcrypt library implementations and determined most of them are vulnerable to hash collision bug when a users password is over 72 characters.

I tested bcrypt-ruby using a script similar to Mykola’s Python script and as expected bcrypt-ruby is suspectible to the same vulnerability.

require 'bcrypt'
require 'securerandom'

user_id = SecureRandom.alphanumeric(18)
username = SecureRandom.alphanumeric(55)
password = 'super-duper-secure-password'

combined_string = user_id + ':' + username + ':' + password
combined_hash = BCrypt::Password.create(combined_string)

wrong_password = 'wrong-password'
wrong_combined_string = user_id + ':' + username + ':' + wrong_password

# let's try to break it
if combined_hash == wrong_combined_string
  puts 'Password is correct'
else
  puts 'Password is incorrect'
end

Resources

https://n0rdy.foo/posts/20250121/okta-bcrypt-lessons-for-better-apis/
https://github.com/bcrypt-ruby/bcrypt-ruby