Bugs, Hashes, and Special Characters


Last night, a user reported a bug that many of you may have experienced. There was an issue associated with creating accounts using special characters in the password or secret phrase. This bug resulted in accounts that could not be logged into.
Naturally, this was a huge problem, and we got to fixing it right away. After inspecting the account creation and login code, the problem was discovered.

Long story short, the problem is fixed, and you can now create accounts using special characters in your passwords and secret phrases.

If you are curious what caused the problem, we invite you to continue reading.

The problem was caused by a disparity in the two SHA-512 libraries we are using: one for account creation and one for logging in. This is done simply to reduce the app’s size when logging in since the larger library is 800 Kb!

The output of the account creation library, forge.js, is shown below using their example code

The output of the account creation library, forge.js, is shown below using their example code:
var md = forge.md.sha512.create(); md.update('The quick brown fox jumps over the lazy dog');

For example, an input of:
51.% 2_5]0)7-0;£^;’6[@%=9>]8[@@’399=540@(*”[<!69%5<418&7$90,;.£7::};

Results in:

However, the other library resulted in a different output for the same input. The result was:

The contributors to forge were very helpful when I posted this issue on the repo. The problem was simple and involved giving the forge.js object more information about the input encoding:
var md = forge.md.sha512.create(); md.update(data, 'utf8'); // <-- don't forget 'utf8' if you aren't passing in a binary-encoded string
console.log('hash', md.digest().toHex());

We apologize for this mishap, but it helped us realize that the code should be open-sourced as soon as possible so anyone, such as auditors or technical users, can review that code and post issues.

UPDATE: The code is now on Github!!!

Please note: if you experienced this issue, a popup will notify you to change your password and secret phrase. You can change it to the original one, but we need to update our database with the new hash.

We're very sorry for the inconvenience.

In the meantime, we are almost ready to deploy another cool feature that will allow you to reset your password or secret phrase.
We will post that update soon!