{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Emotional °昔 的问题《Verifying Hashed Password From MySQL Database》','https://www.manongdao.com/q-657031.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using Java in Eclipse and am storing a hashed password in my database when a new user is created. This is done with this code..
String hashed_password = Password.hashPassword(passwordField.toString());
String query = "insert into user (username, password, usertype, license_code) values (?, ?, ?, ?)";
PreparedStatement pst = connection.prepareStatement(query);
pst.setString(1, userNameTextField.getText());
pst.setString(2, hashed_password);
I left out out some other details not associated with the password, however, my hashed value is stores in the database. I then login, and do the following code...
String test_passwd = passwordField.getText();
String test_hash = "$2a$12$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC";
System.out.println("Testing BCrypt Password hashing and verification");
System.out.println("Test password: " + test_passwd);
System.out.println("Test stored hash: " + test_hash);
System.out.println("Hashing test password...");
System.out.println();
String computed_hash = Password.hashPassword(test_passwd);
System.out.println("Test computed hash: " + computed_hash);
System.out.println();
System.out.println("Verifying that hash and stored hash both match for the test password...");
System.out.println();
String compare_test = Password.checkPassword(test_passwd, test_hash)
? "Passwords Match" : "Passwords do not match";
String compare_computed = Password.checkPassword(test_passwd, computed_hash)
? "Passwords Match" : "Passwords do not match";
System.out.println("Verify against stored hash: " + compare_test);
System.out.println("Verify against computed hash: " + compare_computed);
The test_hash variable is the hashed password that is stored in the database from the new user code. When I login, I know that I am using the same password that I used in the new user prompt.
However, here are my results:
Test stored hash: $2a$12$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC
Hashing test password...
Test computed hash: $2a$12$rbBleRV4gyLaY4.ZZ4fjiOrLW423TWYqKmv0ejws7mmFd2N3/eieK
Verifying that hash and stored hash both match for the test password...
Verify against stored hash: Passwords do not match
Verify against computed hash: Passwords Match
The results indicate that the password matches the hashed password right then and there, but doesn't match the hashed password in the database despite being the same initial password.
Here is the code where I hash the password and verify it...
public class Password {
// Define the BCrypt workload to use when generating password hashes. 10-31 is a valid value.
private static int workload = 12;
/**
* This method can be used to generate a string representing an account password
* suitable for storing in a database. It will be an OpenBSD-style crypt(3) formatted
* hash string of length=60
* The bcrypt workload is specified in the above static variable, a value from 10 to 31.
* A workload of 12 is a very reasonable safe default as of 2013.
* This automatically handles secure 128-bit salt generation and storage within the hash.
* @param password_plaintext The account's plaintext password as provided during account creation,
* or when changing an account's password.
* @return String - a string of length 60 that is the bcrypt hashed password in crypt(3) format.
*/
public static String hashPassword(String password_plaintext) {
String salt = BCrypt.gensalt(workload);
String hashed_password = BCrypt.hashpw(password_plaintext, salt);
return(hashed_password);
}
/**
* This method can be used to verify a computed hash from a plaintext (e.g. during a login
* request) with that of a stored hash from a database. The password hash from the database
* must be passed as the second variable.
* @param password_plaintext The account's plaintext password, as provided during a login request
* @param stored_hash The account's stored password hash, retrieved from the authorization database
* @return boolean - true if the password matches the password of the stored hash, false otherwise
*/
public static boolean checkPassword(String password_plaintext, String stored_hash) {
boolean password_verified = false;
if(null == stored_hash || !stored_hash.startsWith("$2a$"))
throw new java.lang.IllegalArgumentException("Invalid hash provided for comparison");
password_verified = BCrypt.checkpw(password_plaintext, stored_hash);
return(password_verified);
}
}
I suspect that you are introducing error into the hash either when storing it in the database or retrieving it, or both.
Try storing a hash in the database and retrieving it non-programmatically to compare it with the hash you generated. If they're identical, try retrieving it programmatically and compare it to see if there was any error introduced.
I'm not familiar with Java, but it seems to me that you got the value from the password input field the wrong way, maybe you should check this out: