Crypt remote generating different hash each time for the same password

When I am creating a crypt remote (without salt password) with the same password, rclone generates different hashed password each time. Shouldn't it produce the same hash?

rclone v1.50.2
- os/arch: windows/amd64
- go version: go1.13.4

I'm not following what you are asking.

Can you list out the steps you are doing and what you are expecting?

[crypt1]
type = crypt
remote = gdrive:path/to/foo
password = Vf8iF3y_2P3kmGtDeT0NLiiKr9pqhBBBB

If we try to create the crypt remote multiple times, then each time the generated config crates different hashed password where the original password is same. Shouldn't the generated hashed password should be same?

No as that isn't how hashing works. It's possible if you did the same passwords many, many, many times, you'd get a duplicate hash.

Using a salt as well makes that even more unlikely.

If you hashed the same results, it makes breaking the hash pretty easy.

If you want to read up, here is a nice article on hashing:

So, hash would be different even if I used the same password?

Yes, it would be different as you have seen :slight_smile:

But MD5 gives same hash, for same text, no matter how many times you generate it..!
I know, Rclone uses different hash, but still.

MD5 is a checksum, not a hash.

You'd want a checksum to produce the same results, but not a hash.

Wikipedia shows MD5 is a hash.

All the time I knew MD5 is a hash, now you're telling me I was wrong? :roll_eyes:

To be specific, you can use MD5 for a checksum and you can use MD5 for a hash.

You were referring to a MD5 checksum being the same, which is different from using MD5 to create a hash. Would highly recommend you read the article I linked.

I think the confusion here is that the passwords you see in the config file are not hashed, they are encrypted. The encryption uses a different nonce each time so each time you encrypt them you get a different encrypted password.

Ohhh..

Ah, this is it. I knew something wasn't adding up. Thank you.
But which begs the question then Rclone has to remember the nonce, isn't it?

No the nonce is written in clear as part of the encrypted password. That is standard practice for crypto nonces - they don't need to be secret, just different each time!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.