Verifying a PBKDF2 password hash in python-pbkdf2

Question

I am using the snippet below to encrypt user password before saving in the database.

from pbkdf2 import crypt
pwhash = crypt(password_from_user)

Example: $p5k2$$Y0qfZ64u$A/pYO.3Mt9HstUtEEhWH/RXBg16EXDMr

Then, I save this in database. Well locally, I can perform a check doing something like this:

from pbkdf2 import crypt
  pwhash = crypt("secret")
  alleged_pw = raw_input("Enter password: ")
  if pwhash == crypt(alleged_pw, pwhash):
      print "Password good"
  else:
      print "Invalid password"

but how do I perform checks with what is on the db as the encrypted string is not always the same. I'm using python-pbkdf2.

What do you mean by *"is not always the same"*? Does the verification work only sometimes or does it always work for some passwords, but not for others? — Artjom B., Oct 14 '15 at 20:19

Belvi Nosakhare · Accepted Answer · 2015-10-15T23:00:23.150

Okey, Did more research and figured out that to achieve this, i first have to encrypt the password and save in db.as:

pwhash = crypt("secret",iterations=1000)

which can produce a string like $p5k2$3e8$her4h.6b$.p.OE5Gy4Nfgue4D5OKiEVWdvbxBovxm

and to validate when a user wants to login with same password, i use the function below:

def isValidPassword(userPassword,hashKeyInDB):
     result = crypt(userPassword,hashKeyInDB,iterations = 1000)
     return reesult == hashKeyInDB #hashKeyInDB in this case is $p5k2$3e8$her4h.6b$.p.OE5Gy4Nfgue4D5OKiEVWdvbxBovxm

this method returns True if the password is same or False if otherwise.

Verifying a PBKDF2 password hash in python-pbkdf2

1 Answers1