Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Comparing hashed passwords with salt (bcrypt) always returns false

While doing an exercise for school I was required to store passwords properly (hashed in a database) using bcrypt. When comparing them the method always returns false. My code looks like that:

Register:

String username = editTextUsername.getText().toString();
String password = editTextPassword.getText().toString();
String hashedPW = BCrypt.hashpw(password, BCrypt.gensalt());
User user = new User(username, hashedPW);
user.save();

Login:

String username = editTextUsername.getText().toString();
String enteredPassword = editTextPassword.getText().toString();

String hashedPW = BCrypt.hashpw(enteredPassword, BCrypt.gensalt());

User u = usercontroller.getUser(username); //gets user object
String password = u.getPassword;

BCrypt.checkpw(password, hashedPW); //always returns false

I hope there are any BCrypt pros out there that could possibly help me. Thank you in advance!

like image 608
Matthias Lassnig Avatar asked Apr 20 '17 08:04

Matthias Lassnig


People also ask

How does bcrypt compare password?

Bcrypt uses adaptive hash algorithm to store password which is a one-way hash of the password. BCrypt internally generates a random salt while encoding passwords and store that salt along with the encrypted password. Hence it is obvious to get different encoded results for the same string.

Is bcrypt asynchronous comparison?

compare() is asynchronous, does that necessarily mean that delays are certain to happen? [duplicate] Save this question. Show activity on this post.

What is the difference between bcrypt and Bcryptjs?

bcrypt is written in C++ with more than 400.000 downloads per week at npm and 5.1k stars at github. bcryptJS is written in Javascript with more than 560.000 downloads per week at npm and 2.3k stars at github. We'll try to benchmark both libraries at: Generate Hash password synchronous.

Which is better crypto or bcrypt?

bcrypt and crypto are both open source tools. It seems that bcrypt with 6.08K GitHub stars and 426 forks on GitHub has more adoption than crypto with 17 GitHub stars and 18 GitHub forks.


1 Answers

change

BCrypt.checkpw(password, hashedPW);

to

BCrypt.checkpw(enteredPassword, password);

Then it will evaluate properly .

It's doesn't matter if password is appended with salt and hash is generated .

Hashes of same password with different salts , when evaluated against the password from which it was generated ,will evaluate to true .

Hashing is one way algorithm this means that We cannot recompute the password by having hash. We can only compare Password with password's Hash using hashing algorithm .Hashing algorithm typically is used to generated the Hash and to compare it with whatever it was generated from. We use Hashing to store password securely

like image 112
harsha kumar Reddy Avatar answered Sep 30 '22 07:09

harsha kumar Reddy