Describe the bug I've been using Argon2 in an application not written in Java. Now, I want to start checking those Argon2 hashes in my Java application using password4j.

My other application has generated an Argon2 hash that looks like this:

$argon2id$v=19$m=16384,t=2,p=1$nlm7oNI5zquzSYkyby6oVw$JOkJAYrDB0i2gmiJrXC6o2r+u1rszCm/RO9gIQtnxlY

The clear text password for this is Test123!. If I fill in those values on this online checker, things work exactly the way I want it: https://argon2.online

But when I use password4j, I always get false when running it like this:

        boolean verified = Password.check("Test123!", "$argon2id$v=19$m=16384,t=2,p=1$nlm7oNI5zquzSYkyby6oVw$JOkJAYrDB0i2gmiJrXC6o2r+u1rszCm/RO9gIQtnxlY").withArgon2();
        System.out.println(verified);

I've also noticed that it seems to ignore the configuration values in the hash itself (such as t=2 and p=1). I've tried setting them to match the hash, but that shouldn't be necessary...

To Reproduce See Java code above.

Expected behavior I expect the above to yield true.

Environment:

• OS: Ubuntu 20.04
• JDK Oracle JDK 17
• Version 1.6.2

Additional context N/A.

Describe the bug I am considering migrating from com.lambdaworks:scrypt to com.password4j:password4j. The derived key length of hashes generated by the lambdaworks implementation is 32 bytes, while password4j's scrypt implementation produces 64 byte derived keys. This is fine. The problem is that when checking against an existing hash, password4j's scrypt's check() method requires that the input hash's derived key be 64 bytes. If the derived key length of the input hash is not 64 bytes then check() returns false (com.password4j.SCryptFunction line 151).

To Reproduce Verify with these (valid) hashes generated by com.lambdaworks:scrypt:

Test hash 1: password = "Hello world!" $s0$e0801$fl+gNAicpGG4gLMkUTCvLw==$N5wE1IKsr4LPBoetJVW6jLzEH4kTVXuKGafvAA8Z+88=

Test hash 2: password = "!@#$%^&*()_+"; $s0$e0801$1uFqXES/I17Wj6W85SLXNA==$GvPgo5L9KMtde+jpR5rRd5U7Qa6mcRMFAoy5E50iBro=

Expected behavior I would expect that password4j's HashingFunction.check() methods respect the derived key lengths of the input hashes they are checking against. Looking at the code for password4j's argon2 implementation it does in fact appear to respect the derived key length of the input hash.

It would also be nice if password4j's scrypt had a configurable derived key length, similar to argon2's "hash.argon2.length".

Environment:

• n/a

Additional context n/a

NOTE If you agree with the above change then I would be happy to submit a pull request.

Describe the bug in the documentation (for Argon2) it is mentioned that the SALT is stored in the computed hash and therefore automatically used during a call to check, which is not the case and needs to be specified again manually during a verification call.

When the documentation refers to the hash, does it refer to the com.password4j.Hash object ? or the computed hash (hash.getResult()) ? it maybe not a bug but the documentation is unclear on this point.

To Reproduce

psw4j.properties :

global.random.strong=true
global.pepper=MyPepper
hash.argon2.memory=4096
hash.argon2.iterations=160
hash.argon2.length=128
hash.argon2.parallelism=2
hash.argon2.type=id
hash.argon2.version=19

Test :

Hash hash = Password.hash("my password").addRandomSalt().withArgon2();
String result = hash.getResult();
Password.check("my password", result).withArgon2()  <== return false

Working code :

Hash hash = Password.hash("my password").addRandomSalt().withArgon2();
String salt = hash.getSalt();
String result = hash.getResult();

Password.check("my password", result).addSalt(salt).withArgon2();  <== return true

Expected behavior If salt is already embedded in the computed hash (hash.getResult()) it need to automatically extracted from here (if it exists) in the verification function , this would avoid having in database (result has saved in db in my case) a column for the result and another column which would contain the salt.

Environment:

• OS: Windows 10 Pro java version "11.0.9" 2020-10-20 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.9+7-LTS) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.9+7-LTS, mixed mode)

You shouldn't add the slf4j nop impl to the classpath ( https://github.com/Password4j/password4j/blob/master/pom.xml#L53) as it causing package conflict issues for modular applications. Usually application using this library brings proper slf4j impl.

 error: module dev.xxx.openjdk.playground reads package org.slf4j.impl from both org.slf4j.nop and org.apache.logging.log4j.slf4j

Describe the bug This issue happen in random device, verify function Password.check(password, hash).withBCrypt() always return true, even with wrong password.

To Reproduce App with login (username & password) system.

Expected behavior Verify function return correct value.

Environment:

• OS: Windows

• IDE: Android Studio 4.2 Canary 12

• Device spec with working Verify function

• Device spec with Verify function always return true

• Other

Additional context Here's my code and result:

Code

Result

Thankyou firaja :D

Describe the bug i have implemented Password Encryption with [password4j/Argon2] .

• Successfully Encrypted password
• Password validation not working, always showing false.

To Reproduce #Step1#: Encryption Hash hash=Password.hash(userEnteredPassword).addSalt(salt).addPepper(pepper).withArgon2(); #Step2#: Validation boolean verification=Password.check(userEnteredPassword,hash..toString()) .addSalt(salt)) .addPepper(pepper) .withArgon2();

 # Details# : 
      userEnteredPassword : yesh599_33 
      salt                                : yesmykaps599
      pepper                          : 80953

#Argon2() Config Details#: hash.argon2.memory=4096 hash.argon2.iterations=99 hash.argon2.length=128 hash.argon2.parallelism=4 hash.argon2.type=id hash.argon2.version=20

Expected behavior Password verification always showing false.

Environment:

• MAC: [iOS]
• JDK [Open JDK 11]
• JVM Character Set (UTF-8)

Additional context Kindly let me know, if any changes required.

Hello! This is mostly a question about your library.

I noticed a lot of the methods either accept a string or return a string, such as addSalt(String). I noticed when you convert these back to byte[], you are using UTF 8. When I take an existing salt, that's just a byte[], and try to convert it to a String using new String(bytes, StandardCharsets.UTF_8) I always get an error about it being an invalid salt. These are salts that were generated prior to using your library.

I am curious how UTF 8 works in this situation. Normally, byte values >127 are interpreted as surrogate pairs, meaning the character is composed of 2 or more bytes. Some sequences of bytes are not valid unicode, as some ranges are reserved. I am curious how UTF 8 handles this situation and was hoping you knew off hand. Is it replacing those byte sequences with a default character (like those that appear as a square symbol or question mark diamond), or is it keeping the byte sequences as-is?

Would it be possible to create overloads of addSalt taking a byte[] so I could use this library? In case you're curious, when I persisted my passwords and salts to a database, I used Base64 to encode byte[] rather than UTF 8.

Describe the bug Correcy bcrypt hash failed to be verified.

To Reproduce Call:

String hash = "$2b$12$fRnFJP6V1PybWlgvGYYeEutnpgtmYPBy94UPwpKfH2J5GbxA22cFC";
String password = "1234";
boolean verified = Password.check(password, hash).withBCrypt();

verified is false!

Expected behavior verified should be true!

Environment:

• OS: Windows 10 2011
• JDK 11
• Version group: 'com.password4j', name: 'password4j', version: '1.4.0'

Workaround

char minor = passwordHash.charAt(2);
String rounds = passwordHash.replaceFirst("\\$.{2}\\$([0-9]+)\\$.*", "$1");
boolean verified = Password.check(password,passwordHash).with(BCryptFunction.getInstance(com.password4j.BCrypt.valueOf(minor), Integer.parseInt(rounds)));

From sonarcloud report:

When testing exception via @Test annotation, having additional assertions inside that test method can be problematic because any code after the raised exception will not be executed. It will prevent you to test the state of the program after the raised exception and, at worst, make you misleadingly think that it is executed.

You should consider moving any assertions into a separate test method where possible, or using org.junit.Assert.assertThrows instead.

Alternatively, you could use try-catch idiom for JUnit version < 4.13 or if your project does not support lambdas.

Compliant

// This test correctly fails.
@Test
public void testToString() {
    Object obj = get();
    Assert.assertThrows(IndexOutOfBoundsException.class, () -> obj.toString());
    Assert.assertEquals(0, 1);
}

From sonarcloud report: Casting may be required to distinguish the method to call in the case of overloading

Noncompliant

public void example() {
  for (Foo obj : (List<Foo>) getFoos()) {  // Noncompliant; cast unnecessary because List<Foo> is what's returned
    //...
  }
}

public List<Foo> getFoos() {
  return this.foos;
}

Compliant

public void example() {
  for (Foo obj : getFoos()) {
    //...
  }
}

public List<Foo> getFoos() {
  return this.foos;
}

Describe the bug

The commit for issue #64 erroneously removed the "$s0" prefix from scrypt hash strings. The "$s0" prefix is present in the hash string generated by the original lambdaworks scrypt library's SCryptUtil.scrypt() function (from package: "com.lambdaworks:scrypt:1.4.0"). From the lambdaworks scrypt library's README.md, the "$s0" prefix indicates "version 0 of the format with 128-bit salt and 256-bit derived key".

To Reproduce

Using the scrypt library, call com.lambdaworks.crypto.SCryptUtil.scrypt() with any values for parameters passwd, N, r, and p. The returned hash string will have the "$s0" prefix.

Expected behavior

Password4j's scrypt hash strings should have the same format as hash string generated by the lambdaworks scrypt library, which includes the "$s0" prefix.

Environment:

• OS: Any
• JDK Any
• Version 1.6.0

Additional context

Bumps slf4j-api from 2.0.4 to 2.0.6.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps slf4j-simple from 2.0.4 to 2.0.6.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    @firaja That works like a charm, thanks for the quick support and fix!

I accidentally noticed something else though. See this test:

    @Test
    public void test_using_function_directly()
    {
        String hash = "$argon2id$v=19$m=16384,t=2,p=1$nlm7oNI5zquzSYkyby6oVw$JOkJAYrDB0i2gmiJrXC6o2r+u1rszCm/RO9gIQtnxlY";
        Argon2Function function = Argon2Function.getInstanceFromHash(hash);

        boolean test1 = Password.check("Test123!", hash).with(function);
        assertTrue(test1);

        boolean test2 = function.check("Test123!", hash);
        assertTrue(test2);
    }

When using the function directly to check, it doesn't work. This is not the case with for example Bcrypt. Not a big deal for me, I'll use the first way, but I thought you should know. Maybe extract this to a separate issue? Or ignore, it's up to you. :)

Originally posted by @anton-johansson in https://github.com/Password4j/password4j/issues/92#issuecomment-1342537831