2 files changed, 2 insertions, 2 deletions

diff --git a/app/Models/FormAuth.php b/app/Models/FormAuth.php
index 8943fa7f5..a6431aa8e 100644
--- a/app/Models/FormAuth.php
+++ b/app/Models/FormAuth.php
@@ -11,7 +11,7 @@ class FreshRSS_FormAuth {
 			return false;
 		}
 
-		return password_verify($nonce . $hash, $challenge);
+		return password_verify($hash . $nonce, $challenge);
 	}
 
 	/** @return list<string> */
diff --git a/p/scripts/extra.js b/p/scripts/extra.js
index 9eeefabfb..6f896f959 100644
--- a/p/scripts/extra.js
+++ b/p/scripts/extra.js
@@ -75,7 +75,7 @@ function init_crypto_forms() {
 						try {
 							const strong = window.Uint32Array && window.crypto && (typeof window.crypto.getRandomValues === 'function');
 							const s = bcrypt.hashSync(crypto_form.querySelector('.passwordPlain').value, json.salt1);
-							const c = bcrypt.hashSync(json.nonce + s, strong ? bcrypt.genSaltSync(4) : poormanSalt());
+							const c = bcrypt.hashSync(s + json.nonce, strong ? bcrypt.genSaltSync(4) : poormanSalt());
 							challenge.value = c;
 							if (!s || !c) {
 								openNotification('Crypto error!', 'bad');