Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Bcrypt generates different hashes for the same input?

Tags:

bcrypt

grails

I just added a registration functionality to my new grails project. For testing it, I registered by giving an email and a password. I am using bcrypt algorithm for hashing the password before saving it to the database.

However when I try to login with the same email and password that I gave while registering, login fails. I debugged the application and found out that the hash that is generated for the same password is different when I try to compare with the already hashed one from database and hence the login is failing (Registration.findByEmailAndPassword(params.email,hashPassd) in LoginController.groovy returns null).

Here's my domain class Registration.groovy:

class Registration {     transient springSecurityService     String fullName    String password    String email     static constraints = {       fullName(blank:false)       password(blank:false, password:true)       email(blank:false, email:true, unique:true)    }     def beforeInsert = {       encodePassword()    }     protected void encodePassword() {       password = springSecurityService.encodePassword(password)    } } 

Here's my LoginController.groovy:

class LoginController {     /**     * Dependency injection for the springSecurityService.     */    def springSecurityService     def index = {       if (springSecurityService.isLoggedIn()) {          render(view: "../homepage")       }       else {          render(view: "../index")       }    }     /**     * Show the login page.     */    def handleLogin = {        if (springSecurityService.isLoggedIn()) {          render(view: "../homepage")          return       }        def hashPassd = springSecurityService.encodePassword(params.password)       // Find the username       def user = Registration.findByEmailAndPassword(params.email,hashPassd)       if (!user) {          flash.message = "User not found for email: ${params.email}"          render(view: "../index")          return       } else {          session.user = user          render(view: "../homepage")       }    } } 

Here's a snippet from my Config.groovy telling grails to use bcrypt algorithm to hash passwords and the number of rounds of keying:

grails.plugins.springsecurity.password.algorithm = 'bcrypt' grails.plugins.springsecurity.password.bcrypt.logrounds = 16 
like image 271
adit Avatar asked Dec 11 '11 21:12

adit


People also ask

Does bcrypt generate the same hash?

A BCrypt hash includes salt and as a result this algorithm returns different hashes for the same input.

Are bcrypt hashes reversible?

So, just like irreversible algorithms based cryptographic digests, bcrypt produces an irreversible output, from a password, salt, and cost factor. Its strength lies in Blowfish's resistance to known plaintext attacks, which is analogous to a "first pre-image attack" on a digest algorithm.

Does bcrypt automatically salt?

Another benefit of bcrypt is that it requires a salt by default. Let's take a deeper look at how this hashing function works! "`bcrypt` forces you to follow security best practices as it requires a salt as part of the hashing process. Hashing combined with salts protects you against rainbow table attacks!

How does bcrypt hash work?

BCrypt Algorithm is used to hash and salt passwords securely. BCrypt permits building a password security stage that can advance nearby hardware innovation to guard against dangers or threats in the long run, like attackers having the computing power to guess passwords twice as quickly.

How does the bcrypt hashing process work?

The bcrypt hashing process heavily relies on the eksblowfish function. When the user inputs their password for the first time, the site uses “EksBlowfishSetup” to set two important parameters. First, it adds the “salt” to the password. A salt is a string of random characters used by the site to make passwords more complex.

What do the prefixes in bcrypt hash values mean?

The resulting hash is prefixed with $ 2 a$, $ 2 y$, or $ 2 b$. The prefixes are added to indicate usage of bcrypt and its version.

What is bcrypt and how does it work?

Bcrypt is an algorithm designed to hash and salt passwords for safe storage. It’s an industry standard that’s time-tested and proven to resist threats from hackers and other malicious agents. Keep reading to learn the fundamentals of bcrypt, why it’s so effective, and how it compares to different password protection algorithms. What is hashing?

How to compare hashed passwords with plaintext passwords using bcrypt?

Bcrypt generates a random salt (that is included as a part of the resulting hash). So it is different every time with purpose. You need to use bcrypt.CompareHashAndPasswordto compare the hashed password and the plaintext password. The first argument of bcrypt.CompareHashAndPasswordis the hashed password, the second is the plaintext password.


1 Answers

Jan is correct - bcrypt by design doesn't generate the same hash for each input string. But there's a way to check that a hashed password is valid, and it's incorporated into the associated password encoder. So add a dependency injection for the passwordEncoder bean in your controller (def passwordEncoder) and change the lookup to

def handleLogin = {     if (springSecurityService.isLoggedIn()) {       render(view: "../homepage")       return    }     def user = Registration.findByEmail(params.email)    if (user && !passwordEncoder.isPasswordValid(user.password, params.password, null)) {       user = null    }     if (!user) {       flash.message = "User not found for email: ${params.email}"       render(view: "../index")       return    }     session.user = user    render(view: "../homepage") } 

Note that you don't encode the password for the isPasswordValid call - pass in the cleartext submitted password.

Also - completely unrelated - it's a bad idea to store the user in the session. The auth principal is readily available and stores the user id to make it easy to reload the user as needed (e.g. User.get(springSecurityService.principal.id). Storing disconnected potentially large Hibernate objects works great in dev mode when you're the only user of your server, but can be a significant waste of memory and forces you to work around the objects being disconnected (e.g. having to use merge, etc.).

like image 110
Burt Beckwith Avatar answered Sep 19 '22 07:09

Burt Beckwith