jBCrypt versions prior to 0.3 suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters.
dd72d7dabb106e0710c14a2f1935188fc712a50d8d1d76a5ac6d2777e8f3c708
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
jBCrypt security advisory
=========================
jBCrypt is a Java implementation of OpenBSD's Blowfish password hashing
algorithm, as described in "A Future-Adaptable Password Scheme" by Niels
Provos and David Mazieres (USENIX, 1999).
Versions of jBCrypt before 0.3 suffered from a bug related to character
encoding that substantially reduced the entropy of hashed passwords
containing non US-ASCII characters. An incorrect encoding step
transparently replaced such characters by '?' prior to hashing. In the
worst case of a password consisting solely of non-US-ASCII characters,
this would cause its hash to be equivalent to all other such passwords
of the same length.
jBCrypt-0.3, available from http://www.mindrot.org/projects/jBCrypt/
fixes this bug. Please note that passwords containing international
characters that were hashed using a previous version of jBCrypt will
not verify using jBCrypt-0.3. This may necessitate re-hashing of such
passwords.
This bug was responsibly disclosed by Aliaksandr Radzivanovich.
Damien Miller <djm@mindrot.org>
February 1, 2010
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
iD8DBQFLZjRjzo7LA4b/nEgRAlz9AJ9gBiRpX5UulfKIkaKthmG00dOxKgCdFYt6
pFhxXEcnqmWIeuo1ykT4nl4=
=WKbk
-----END PGP SIGNATURE-----