Android Java Bcrypt library password doesn't match database encrypted password

Question

So I know many people ask why their encrypted password doesn't match with the input, but I couldn't find any specific case as for my situation.

I am using the Bcrypt Library of https://github.com/patrickfav/bcrypt in my Android Sqlite project.

When I use his example as follow:

it logs fine and says that it the passwords match. But, when I call this verification from another method with the same password, it always says "false". Can somebody explain me why it happens and how can I fix it ?

String bcryptHashString = BCrypt.withDefaults().hashToString(12, password.toCharArray());
// $2a$12$US00g/uMhoSBm.HiuieBjeMtoN69SN.GE25fCpldebzkryUyopws6
    ...
BCrypt.Result result = BCrypt.verifyer().verify(password.toCharArray(), bcryptHashString);
// result.verified == true

I use the same example so there is no difference in the code... I call the verify method on btn click — Alon, Sep 21 '20 at 16:46

score 0 · Answer 1 · answered Sep 21 '20 at 17:54

Your problem is that you generate a new salt with each call of the following line:

String bcryptHashString = BCrypt.withDefaults().hashToString(12, password.toCharArray());

You will need to store this somewhere and than use it to verify the password. By using a new salt it will always fail the check.

Android Java Bcrypt library password doesn't match database encrypted password

1 Answers1