0

I am using Python 3.9.7 and Django 3.2.7.

Issue details

The following code is being used to verify the submitted password.

I can confirm that the submitted password has a valid value and user.password is a hashed password stored in the database.

passwordCheckResult = check_password(request.POST.get("password"), user.password)
print(passwordCheckResult)

Why does it always return False?

Hashed password: pbkdf2_sha256$260000$Y0LeK0HJ90YPrj5lOijV20$oFRLMk
Plain password: 123

What I searched so far

Django check_password() always returning False but this is not fixing my issue.

The below code works but not the above one.

hashed = make_password("123")
check_password("123", hashed)  # This returns True

Model

class tblusers(models.Model):
    user_id = BigAutoField(primary_key=True)
    password = CharField(max_length=50, null=False)
    created_at = DateTimeField(auto_now_add=True, blank=True)
aaron
  • 39,695
  • 6
  • 46
  • 102
Pankaj
  • 9,749
  • 32
  • 139
  • 283

2 Answers2

2

Hashed password: pbkdf2_sha256$260000$Y0LeK0HJ90YPrj5lOijV20$oFRLMk

max_length=50 is too short, causing the hash to be cut off.

Change it to 128, like Django's AbstractBaseUser.password.

class tblusers(models.Model):
    user_id = BigAutoField(primary_key=True)
    # password = CharField(max_length=50, null=False)  # Change this
    password = CharField(max_length=128, null=False)   # to this
    created_at = DateTimeField(auto_now_add=True, blank=True)
aaron
  • 39,695
  • 6
  • 46
  • 102
-1

Why not using directly User check_password ?

example:

user.check_password(request.POST.get("password"))

here user is your User instance

Edit 1:

I will assume that request.POST.get("password") is returning a real value, try to strip the value like this:

check_password(request.POST.get("password").strip(), user.password.password)

if request.POST.get("password") is returning None, so double check if the input have the correct attribute name="password"

B. Okba
  • 1,021
  • 12
  • 16