Why Laravel's bcrypt Hashes Fail in Node.js and How to Fix It

Introduction

When integrating a new Node.js authentication service with an existing Laravel application database, you may encounter failed password comparisons despite entering the correct credentials. This issue arises from a subtle difference in bcrypt hash prefixes between PHP and Node.js implementations. Understanding and addressing this discrepancy is essential for a seamless migration and secure user experience.

---

Background: bcrypt Prefix Variants

Bcrypt hashes include a three-character prefix that indicates the algorithm version and implementation details:

• $2a$: Original bcrypt specification.

• $2b$: Revision addressing 8-bit character handling.

• $2y$: PHP’s prefix, introduced after CVE-2011-2483, to distinguish patched implementations.

While the underlying hashing algorithm for $2y$ and $2b$ is identical, most Node.js libraries (e.g., bcrypt, bcryptjs) only recognize $2a$ and $2b$. As a result, hashes beginning with $2y$. They are treated as invalid, and comparisons will fail.

Problem Demonstration

import bcrypt from 'bcryptjs';

const storedHash = '$2y$10$PszNdKUcfTXs9VE/9iB2meaqZt0vx5cE.LZP2v6A3F6N1Uz9yEHE6';
const password    = 'examplePassword123!';

bcrypt.compare(password, storedHash)
  .then(isMatch => {
    console.log(isMatch ? 'Authenticated' : 'Invalid credentials');
  })
  .catch(error => {
    console.error('Error during comparison:', error);
  });

Output:

Invalid credentials

Despite providing the valid password, bcrypt.compare() fails because the hash prefix $2y$ is not recognized.

Solution: Normalizing the Prefix

Convert the PHP-specific $2y$ prefix to $2b$ before invoking bcrypt.compare(). This approach preserves the original hash content and maintains security.

function normalizeBcryptHash(hash) {
  return hash.startsWith('$2y$')
    ? '$2b$' + hash.slice(4)
    : hash;
}

async function verifyPassword(plainPassword, storedHash) {
  const compatibleHash = normalizeBcryptHash(storedHash);
  return await bcrypt.compare(plainPassword, compatibleHash);
}

// Usage example
const result = await verifyPassword(password, storedHash);
console.log(result ? 'Authenticated' : 'Invalid credentials');

By ensuring the prefix is $2b$, the Node.js bcrypt library correctly processes the hash.

---

Best Practices for New Passwords

1. Generate All New Hashes in Node.js
   When registering new users or updating passwords, use the Node.js bcrypt implementation directly. It will produce hashes with the standard $2b$ prefix:

    const saltRounds = 10;
    const newHash     = await bcrypt.hash('newPassword', saltRounds);
    // newHash will begin with '$2b$'
   

2. Gradual Prefix Migration
   Retain the prefix-normalization logic in your login flow. As users authenticate or change their passwords, the system will automatically replace outdated $2y$ hashes with $2b$, phasing out the legacy prefix without user interruption.

---

Security Considerations

• Algorithm Integrity: Changing the prefix does not weaken the hash; bcrypt’s strength derives from its salt rounds.

• User Experience: No forced password resets are necessary; users continue logging in with existing credentials.

• Maintainability: Centralizing the prefix normalization in a utility function simplifies future maintenance.

---

Conclusion

A three-character prefix can disrupt cross-platform bcrypt compatibility, but the resolution is straightforward. By normalizing $2y$ to $2b$, you ensure seamless password verification between a Laravel-generated database and a Node.js authentication service. Implementing this fix and generating all new hashes in Node.js will result in a consistent, secure, and maintainable authentication system.