Crypt remote generating different hash each time for the same password

Harry · November 30, 2019, 8:35am

When I am creating a crypt remote (without salt password) with the same password, rclone generates different hashed password each time. Shouldn't it produce the same hash?

rclone v1.50.2
- os/arch: windows/amd64
- go version: go1.13.4

Animosity022 · November 30, 2019, 5:41pm

I'm not following what you are asking.

Can you list out the steps you are doing and what you are expecting?

Harry · November 30, 2019, 5:45pm

[crypt1]
type = crypt
remote = gdrive:path/to/foo
password = Vf8iF3y_2P3kmGtDeT0NLiiKr9pqhBBBB

If we try to create the crypt remote multiple times, then each time the generated config crates different hashed password where the original password is same. Shouldn't the generated hashed password should be same?

Animosity022 · November 30, 2019, 5:53pm

No as that isn't how hashing works. It's possible if you did the same passwords many, many, many times, you'd get a duplicate hash.

Using a salt as well makes that even more unlikely.

If you hashed the same results, it makes breaking the hash pretty easy.

If you want to read up, here is a nice article on hashing:

Harry · November 30, 2019, 5:55pm

So, hash would be different even if I used the same password?

Animosity022 · November 30, 2019, 5:56pm

Yes, it would be different as you have seen

Harry · November 30, 2019, 5:57pm

But MD5 gives same hash, for same text, no matter how many times you generate it..!
I know, Rclone uses different hash, but still.

Animosity022 · November 30, 2019, 5:58pm

MD5 is a checksum, not a hash.

You'd want a checksum to produce the same results, but not a hash.

Harry · November 30, 2019, 6:00pm

Wikipedia shows MD5 is a hash.

All the time I knew MD5 is a hash, now you're telling me I was wrong?

Animosity022 · November 30, 2019, 6:01pm

To be specific, you can use MD5 for a checksum and you can use MD5 for a hash.

You were referring to a MD5 checksum being the same, which is different from using MD5 to create a hash. Would highly recommend you read the article I linked.

ncw · November 30, 2019, 6:41pm

I think the confusion here is that the passwords you see in the config file are not hashed, they are encrypted. The encryption uses a different nonce each time so each time you encrypt them you get a different encrypted password.

Harry · November 30, 2019, 6:55pm

Ohhh..

Ah, this is it. I knew something wasn't adding up. Thank you.
But which begs the question then Rclone has to remember the nonce, isn't it?

ncw · November 30, 2019, 6:55pm

No the nonce is written in clear as part of the encrypted password. That is standard practice for crypto nonces - they don't need to be secret, just different each time!

system · December 3, 2019, 6:55pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.