When using bcrypt.compare(password, user.password) with the original hashed user.password being something and the supplied password being something__ or something_, bcrypt.compare will return true.

Just wondering if this is intended behavior, if it is I'd consider this VERY bad practice.