Learned a couple of bcrypt things today

<p>First a SHA1 is raw bytes and not a string. I guess it should have been obvious but it stumped me.</p> <pre><code>h := sha1.New() io.WriteString(h, &#34;My password&#34;) s := sha.Sum(nil) // &lt;- This is not string(s) bs := hex.EncodeToString(s) // &lt;- ah, feel the love </code></pre> <p>The second thing I learned, don&#39;t turn on -race when running tests with a lot of bcrypt calls! Holy cow that is slow.</p> <hr/>**评论：**<br/><br/>ManticoreX: <pre><p>Just assuming it&#39;s a weird title, but sha and bcrypt are two different hashing algorithms. Unless you have a really weird situation, you would only use one or the other.</p></pre>dshills: <pre><p>It is a weird situation. Won&#39;t go into all the historical reasons but the plain text passwords are SHA1 before bcrypted. Legacy stuff...</p></pre>ManticoreX: <pre><p>Going to guess, migrated an old password database by bcrypting the previously stored as sha1 hashes. Now you do both to verify a password is correct</p></pre>elithrar_: <pre><p>It would have made more sense (in the long term) to:</p> <ul> <li>Verify the SHA1 as correct</li> <li>While you still have the plaintext password &#34;in flight&#34; within the request, run it through bcrypt</li> <li>Replace the SHA1 password with bcrypt</li> <li>Next time around, either have your function check whether it&#39;s a SHA1 hash or a bcrypt key (and skip it if it&#39;s already been upgraded)</li> </ul></pre>dshills: <pre><p>lol, that and our mobiles were sending SHA1 for auth and we couldn&#39;t break the API. </p></pre>kurin: <pre><p>If the endpoint is accepting sha1 it&#39;s not a hash, it&#39;s a password.</p></pre>imrobert: <pre><p>Just want to mention that there are potential issues with pre-hashing passwords before sending them to bcrypt. Specifically when you end up passing the raw bytes to bcrypt directly. It looks like this might not affect you here, but it is something to be aware of. Combining cryptographic primitives in unintended ways can have unintended consequences.</p> <p>For more information see here: <a href="http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html" rel="nofollow">http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html</a></p></pre>dshills: <pre><p>hmm, thanks for the article. Might be time to find a way to get that out of the code.</p></pre>avrtno: <pre><p>bcrypt is designed to be slow.</p></pre>dshills: <pre><p>That was tongue-n-cheek. It&#39;s the -race flag that makes it REALLY slow</p></pre>