0

I have the following password stored in a database:

$2a$10$0T6qQvTwZoa8hG9Gw.iuiuJ4cXPdfnO21h.meL9QIqwIhjNx2WNHa

It is a bcrypt password stored by the following java command: 

String passwordHash = BCrypt.hashpw(user.getPassword(), BCrypt.gensalt());

I know this password is "asdfasdf" because I entered it in. How would I get a "True" response from python using its Bcrypt library. Here is what I'm currently doing:

import bcrypt
password = "asdfasdf"
previous_hash = "$2a$10$0T6qQvTwZoa8hG9Gw.iuiuJ4cXPdfnO21h.meL9QIqwIhjNx2WNHa"
bcrypt.checkpw(password, previous_hash)
False
David542
  • 104,438
  • 178
  • 489
  • 842
  • Which version of Python? – John Zwinck Sep 29 '18 at 06:46
  • @JohnZwinck -- 2.7 -- it seems that if I create a bcrypt in django it starts with `$2b`, whereas in this java app it starts with `$2a`. Do you think that could be related? – David542 Sep 29 '18 at 06:48
  • 1
    Try running `hashpw()` on the exact same password and salt. In other words, generate a salt from either Python or Java and pass it explicitly to `hashpw()` in both languages and compare the output. Do they match? – John Zwinck Sep 29 '18 at 06:52
  • 1
    https://stackoverflow.com/questions/27413248/why-can-bcrypt-hashpw-be-used-both-for-hashing-and-verifying-passwords – Sneftel Sep 29 '18 at 06:59
  • Relevant: [insecure-versions-of-crypt-hashes](https://security.stackexchange.com/questions/20541/insecure-versions-of-crypt-hashes/20543#20543) and [invalid-salt-revision-when-comparing-python-generated-hash-with-raw-password-in](https://stackoverflow.com/questions/49095166/invalid-salt-revision-when-comparing-python-generated-hash-with-raw-password-in) – stovfl Sep 29 '18 at 08:24

1 Answers1

0

You could use:

previous_hash == bcrypt.hashpw(password, previous_hash)
Rik
  • 467
  • 4
  • 14