Yes, bcrypt-ruby can handle passwords hashed with 2y
. You just need to replace the 2y
by 2a
:
irb(main):002:0> BCrypt::Password.new("$2a$10$jD.PlMQwFSYSdu4imy8oCOdqKFq/FDlW./x9cMxoUmcLgdvKCDNd6") == "password"
=> true
This is necessary as bcrypt-ruby seems to follow Solar Designer’s first suggestion to introduce just 2x
for a backward-compatible support for the “sign extension bug”:
[…] I am considering keeping support for the broken hashes under another prefix - say, "$2x$" (where the "x" would stand for "sign eXtension bug") instead of the usual "$2a$".
Later he proposed to also introduce the 2y
prefix for a better distinction between the three versions:
One idea is to allocate yet another prefix, which will mean the same thing as 2a, but "certified" as passing a certain specific test suite (which will include 8-bit chars). So we'll have:
2a - unknown correctness (may be correct, may be buggy)
2x - sign extension bug
2y - definitely correctNewly set/changed passwords will be getting the new prefix.
PHP supports 2a
, 2x
, and 2y
while bcrypt-ruby supports only 2a
, and 2x
. But if you know your implementation doesn’t have the “sign extension bug”, you can just replace 2y
by 2a
, as 2y
means the same thing as 2a
.