0

In a system which requires a user to have a password, as a quick workaround I wrote random junk as the bcrypt hash so that no one will be able to login to that user. However theoretically there probably is a password which matches this randomly selected hash value.

I was wondering if it could be possible in such a scenario to specially craft a hash value (possibly using a different supported algorithm other then bcrypt) for which it would be guaranteed that there is no preimage.

For bcrypt I suspect this wouldn't be possible, since if my math is correct the expected number of hashes with no 75 char password preimage is (1/e)^(2^416) also known as 0.

But perhaps for another common password hashing algorithm these values would not only be expected but there will also be a way to find such a value.

Meir Maor
  • 12,053
  • 1
  • 24
  • 55

1 Answers1

2

This is mostly answered (in the negative) in Do well-known hash functions have any "impossible" output values?. Cryptographic hashes typically don't have enough mathematical structure to talk about things like the number of pre-images a particular value has. You can do much better analysis of some non-cryptographic hashes like CRC32, since they have so much mathematical structure. In general, uniformly covering the full domain is a design goal, so the property you are asking about would be seen as a weakness.

Of course, it's not hard to design a hash with the property you are looking for. Given any hash function $h(x)$ you can define

function H(x) {
    var count = 0, result = 0;
    do {
        result = h(x . count);
        ++count;
    }
    while (result == 0);
    return result;
}

Essentially you are just re-hashing any time you would return the "reserved" value.

All that said, the typical way to solve this problem from an engineering standpoint is to use a value definitely outside the set of possible values, like NULL. This has the advantage that it survives changing your hash functions.

bmm6o
  • 1,122
  • 7
  • 18