How to compare 2 passwords in BCrypt in Ruby?

Question

I'm using the gem "bcrypt". It's a Rack app. Once I've created a password hash and stored it in my db,

    # register a user

    plain_pass = get_input_from_user
    pass_hash = BCrypt::Password.create(params["pass"])

    # store in db
    # ......

how can I then compare to the plain that comes from a user?

    email = get_user_email
    usr = User.first(email: params["email"])

    plain_pass = params["pass"]
    pass_hash = ?????
    if usr.pass_hash == pass_hash
      # ok, all good

The issue is that Password.create creates a new password each time, even with the same input:

irb(main):038:0> BCrypt::Password.create("aaa")
=> "$2a$10$CCWMcREb5mP2ldFshb4qiua.VK2ABHXCtDSzj2WwYf/KsZQjoDGoO"

irb(main):039:0> BCrypt::Password.create("aaa")
=> "$2a$10$w9rAu9FmLZ/jQ7IQmXutW.nh272ucS0PsIrMYUMBrDQpt4U70wOqa"

Aaron Breckenridge · Answer 1 · 2018-03-08T02:57:38.113

4

Make sure you're using ==. Your example shows assignment (=).

Bcrypt::Password overrides the == method, which is how you should compare passwords:

crypted_password = Bcrypt::Password.create("foobarbaz")
# save crypted_password to db

# Presumably later on when your user returns
BCrypt::Password.new(crypted_password) == "foobarbaz" # => true

edited Mar 08 '18 at 02:57

answered Mar 08 '18 at 02:29

Aaron Breckenridge

1,723
18
25

how does that help me? – jerry Mar 08 '18 at 02:35
you didn't understand my question – jerry Mar 08 '18 at 02:35
True, you'll need to also use `BCrypt::Password.new` – Aaron Breckenridge Mar 08 '18 at 02:45
1

For anyone wanting a bit more detail on this, https://stackoverflow.com/a/44778735/328817 might be helpful. – Sam Dec 23 '20 at 17:04

How to compare 2 passwords in BCrypt in Ruby?

1 Answers1