2

Using one of the C# implementations of BCrypt to hash passwords and store them into a SQL database. However when I return to validate against the hash string BCrypt generates a different hash than the one in the database to compare to. The salts are visibly the same as well as the factors.

Here is what I know

$2a$12$vF/1s3MqIzHwnDshyzH/rOYUelofrj4UWv./vzWqk4o2K0uwhix7W is actually "Qwerty123" and its stored in a column which is initialized to be [nvarchar] (200).

When I use the BCrypt.Verify() or BCrypt.CheckPassword() depending on the implementation, I trace it until just before it makes the comparison and the hash that it is about to compare to the before mentioned one is $2a$12$vF/1s3MqIzHwnDshyzH/rOKVRePZSXFXaIpDv6.IPkbPEoOxZgSEe

If you look close you can see that the salts and the factor parts are the same. Any idea what could be causing this?

The explicit implementation I am working with can be found here http://bcrypt.codeplex.com/

My question could be related to ASP.NET MVC 3 app, BCrypt.CheckPassword failing

Community
  • 1
  • 1
GRush
  • 155
  • 4
  • 12
  • If you repeatedly BCrypt the same string on one server, do you keep getting the same encrypted version? – Brad Jun 30 '11 at 20:43
  • yes using the same string and salt the generated hash is the same each time. – GRush Jun 30 '11 at 21:01

2 Answers2

2

Suggestion for testing

private void FindWhatsFailing(string password) //password = Whatever you're passing in to verify BCrypt is working
{
  const string expectedpassword = "Qwerty123";
  if(expectedpassword != password)
  {
      Debug.WriteLine("My password isn't what I thought it was");
      return;
  }
  string hashed = BCrypt.HashPassword(expectedpassword , BCrypt.GenerateSalt(12));
  if(!BCrypt.Verify(expectedpassword , hashed))
  {
     Debug.WriteLine("Something is wrong with BCrypt");
     return;
  }

  /// ... Test hashing password, compare to hash of expectedpassword, verify password against hash of itself and expectedpassword

 Debug.WriteLine("Everything worked, maybe the database storage is off?");
}

If the Bcrypt.Verify isn't working in this example for you, I have no idea what's wrong, but I'm guessing Bcrypt isn't actually the issue here.

DMulligan
  • 8,993
  • 6
  • 33
  • 34
1

The problem was the input to Bcrypt. I was using a Multiview and MultiViewPanels to collect user data(of which a password), allow user to verify all the data, then on the last MultiViewPanel add the user to the DB and in that process there were postbacks. After some research I found that password fields do not retain their text property after postbacks for security reasons and because I was passing txtPassword.text to Bcrypt this was the problem. This makes a new problem for me to look into.

GRush
  • 155
  • 4
  • 12