Emphasise importance of a CSPRNG, see #16

dcodeIO · dcodeIO · commit a55ce18a6c16 · 2014-10-17T18:56:46.000+02:00
diff --git a/README.md b/README.md
@@ -16,6 +16,9 @@ While bcrypt.js is compatible to the C++ bcrypt binding, it is written in pure J
 times](https://github.com/dcodeIO/bcrypt.js/wiki/Benchmark)), effectively reducing the number of iterations that can be
 processed in an equal time span.
 
+The maximum input length is 72 bytes (note that UTF8 encoded characters use up to 4 bytes) and the length of generated
+hashes is 60 characters.
+
 Usage
 -----
 The library is compatible with CommonJS and AMD loaders and is exposed globally as `dcodeIO.bcrypt` if neither is
@@ -117,8 +120,8 @@ API
 ---
 ### setRandomFallback(random)
 
-Sets the random number generator to use as a fallback if neither node's `crypto` module nor the Web Crypto API
-is available.
+Sets the pseudo random number generator to use as a fallback if neither node's `crypto` module nor the Web Crypto
+API is available. Please note: It is highly important that this PRNG is cryptographically secure!
 
 | Parameter       | Type            | Description
 |-----------------|-----------------|---------------
diff --git a/src/bcrypt.js b/src/bcrypt.js
@@ -79,8 +79,8 @@
 
 
     /**
-     * Sets the random number generator to use as a fallback if neither node's `crypto` module nor the Web Crypto API
-     *  is available.
+     * Sets the pseudo random number generator to use as a fallback if neither node's `crypto` module nor the Web Crypto
+     *  API is available. Please note: It is highly important that this PRNG is cryptographically secure!
      * @param {?function(number):!Array.<number>} random Function taking the number of bytes to generate as its
      *  sole argument, returning the corresponding array of cryptographically secure random byte values.
      * @see http://nodejs.org/api/crypto.html
diff --git a/tests/bench.js b/tests/bench.js
@@ -20,6 +20,23 @@ function testAsync(name, salt, impl, cb) {
     });
 }
 
+function testMax(name, impl) {
+    var s = "",
+        salt = bcryptjs.genSaltSync(4),
+        last = null;
+    while (s.length < 100) {
+        s += "0";
+        var hash = impl.hashSync(s, salt);
+        if (hash === last) {
+            console.log(name+" maximum input length is: "+(s.length-1));
+            break;
+        }
+        last = hash;
+    }
+}
+
+testMax("bcrypt.js", bcryptjs);
+
 console.log("## Comparing bcryptjs with bcrypt\n");
 
 function next() {
