Reverse hash and nonce (#8320)

Safer password evaluation
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-12-15 22:06:05 +0100
committer: GitHub <noreply@github.com> 2025-12-15 22:06:05 +0100
commit: 476e57b04646416e24e24c56133c9fadf9e52b95 (patch)
tree: e88d13f641712e8a8fba88e28dcde741717c43a0 /p/scripts
parent: 00f2f043ac2fc834b3ef82d41b4c710113e988e2 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/p/scripts/extra.js b/p/scripts/extra.js
index 9eeefabfb..6f896f959 100644
--- a/p/scripts/extra.js
+++ b/p/scripts/extra.js
@@ -75,7 +75,7 @@ function init_crypto_forms() {
 						try {
 							const strong = window.Uint32Array && window.crypto && (typeof window.crypto.getRandomValues === 'function');
 							const s = bcrypt.hashSync(crypto_form.querySelector('.passwordPlain').value, json.salt1);
-							const c = bcrypt.hashSync(json.nonce + s, strong ? bcrypt.genSaltSync(4) : poormanSalt());
+							const c = bcrypt.hashSync(s + json.nonce, strong ? bcrypt.genSaltSync(4) : poormanSalt());
 							challenge.value = c;
 							if (!s || !c) {
 								openNotification('Crypto error!', 'bad');
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-12-15 22:06:05 +0100
committer	GitHub <noreply@github.com>	2025-12-15 22:06:05 +0100
commit	476e57b04646416e24e24c56133c9fadf9e52b95 (patch)
tree	e88d13f641712e8a8fba88e28dcde741717c43a0 /p/scripts
parent	00f2f043ac2fc834b3ef82d41b4c710113e988e2 (diff)