Documentation is unclear about Sorcery's salt being entirely separate from the one generated by BCrypt

[avtrujillo]

As discussed here, the string that BCrypt returns when you encrypt the user's password for the first time is a concatenation of the BCrypt version, cost, salt, and checksum. When I decided to switch the project I was working on from Devise to Sorcery, I figured that I could just split the :encrypted_password field of my User model into :crypted_password and :salt in a migration, on the mistaken assumption that the :salt field of Sorcery's User model was the same salt that forms the first 29 characters of :encrypted_password.

From what I can tell, BCrypt is unique among the currently supported encryption providers in this regard. I also notice that one of the planned features for sorcery is storing the salt and hashed password both in the same field. Implementing that for all other providers would probably be the most straightforward way of addressing the problem, but it leaves open the question of what to do with currently existing salts. Maybe there should be a config option to have a separately stored salt for backwards compatibility, along with documentation explaining this?

[mladenilic]

I agree that the salt and hash should be stored together, in the same field. Bcrypt kinda forces that.

The real problem is backward compatibility.

Maybe there should be a config option to have a separately stored salt for backwards compatibility, along with documentation explaining this?

My only concern with this approach is that it might complicate implementations of hashing algorithms more than I'd like, but I don't see better alternative other than dropping backward compatibility.

Anyway, if you are up for it, you can start a PR and I can help out.

[joshbuker]

This would be a good candidate for reworking with Sorcery 1.0, but considering the lack of manpower it might be worth leaving as-is for now. The configuration for Sorcery is already getting a little out of hand, IMO, so I'm hesitant to add more to it if it can be avoided.

[joshbuker]

Honestly, this might be a good thing to just make a part of 1.0 where we don't need to guarantee backwards compatibility.

This can be a part of #104 / the Sorcery 1.0 plan. Closing this for now.

[joshbuker]

Oh god.

Well, this confirms that I'll 100% be implementing the ability to migrate passwords as a built-in Sorcery functionality. I have some good ideas on how to make that work while being flexible.

I wonder if the double salting thing is a holdover from the support for older algorithms that didn't have salts built into the final digest? 🤔