Hash-password gives different results for the same password

1. The problem I’m having:

I’m creating a password hash for basic_auth and the hash is not repeatable. Below, I tried recreate the example given for the word hiccup, from this page: basic_auth (Caddyfile directive) — Caddy Documentation
Is it expected that the hash is always different for the same plaintext password? I don’t know which to put in the Caddy file in the example for protecting a directory with basic_auth

2. Error messages and/or full log output:

not applicable

3. Caddy version:

v2.9.1

4. How I installed and ran Caddy:

$ curl -1sLf ‘https://dl.cloudsmith.io/public/caddy/stable/gpg.key’ | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
$ curl -1sLf ‘https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt’ | sudo tee /etc/apt/sources.list.d/caddy-stable.list
$ sudo apt update
$ sudo apt install caddy
$ sudo systemctl start caddy

a. System environment:

Debian 12.9 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64 GNU/Linux

b. Command:

$ caddy hash-password -p hiccup 
$2a$14$BvnWiF3yp6DretBf1xPP5.BCTbptS02kRVw/2egmO931U93V7LhlW
$ caddy hash-password -p hiccup 
$2a$14$/FaWKU7.NSWlQUK9/6z9FOY3zxOMPcOk8NBMC2vaNr7V4K79l0ngK
$ caddy hash-password -p hiccup
$2a$14$jhS44ekEvp2NrOG2XPwPF.CiI4mqP5lV/dCo3F8WHCNSJ9qQ5bdPq

Hi @juniper47,

I’m not sure but it looks like the option —plaintext might be needed.

States “ --plaintext is the plaintext form of the password. If omitted, interactive mode will be assumed and the user will be shown a prompt to enter the password manually.”

(The boldface is my doing for emphasis)

This page shows that -p (which I used) is the equivalent of --plaintext

I repeated the exercise with --plaintext and the same thing happens.

1 Like

Ok, not enough coffee yet this morning.
I had interrupted (accidentally mis interrupted) incorrectly. Sorry! :slightly_frowning_face:

Kindly wait for a more knowledgeable Caddy community member.

I do see in an older version had an option --salt, makes me wonder if there is now automatic salting for all algorithms and uses.
https://manpages.ubuntu.com/manpages/lunar/man8/caddy-hash-password.8.html

And this looks to show some history on salt Salt Encoding inconsistency between Caddyfile basicauth and hash-password · Issue #3580 · caddyserver/caddy · GitHub
“keeping only bcrypt“

Edit

And security - How can bcrypt have built-in salts? - Stack Overflow
Hashing in Action: Understanding bcrypt

That’s normal. It’s part of bcrypt algorithm. The salt is random and is part of the output. This protects against rainbow table attack. It also protects against exposing other users who happen to have the same password if one of them leaks their password.

2 Likes