java - Verifying Hashed Password From MySQL Database -
i using java in eclipse , storing hashed password in database when new user created. done code..
string hashed_password = password.hashpassword(passwordfield.tostring()); string query = "insert user (username, password, usertype, license_code) values (?, ?, ?, ?)"; preparedstatement pst = connection.preparestatement(query); pst.setstring(1, usernametextfield.gettext()); pst.setstring(2, hashed_password);
i left out out other details not associated password, however, hashed value stores in database. login, , following code...
string test_passwd = passwordfield.gettext(); string test_hash = "$2a$12$n773ystmtu/1ziue9an.r.p9u5bqp4o6.qjk.j.zha6ztfytyuozc"; system.out.println("testing bcrypt password hashing , verification"); system.out.println("test password: " + test_passwd); system.out.println("test stored hash: " + test_hash); system.out.println("hashing test password..."); system.out.println(); string computed_hash = password.hashpassword(test_passwd); system.out.println("test computed hash: " + computed_hash); system.out.println(); system.out.println("verifying hash , stored hash both match test password..."); system.out.println(); string compare_test = password.checkpassword(test_passwd, test_hash) ? "passwords match" : "passwords not match"; string compare_computed = password.checkpassword(test_passwd, computed_hash) ? "passwords match" : "passwords not match"; system.out.println("verify against stored hash: " + compare_test); system.out.println("verify against computed hash: " + compare_computed);
the test_hash variable hashed password stored in database new user code. when login, know using same password used in new user prompt.
however, here results:
test stored hash: $2a$12$n773ystmtu/1ziue9an.r.p9u5bqp4o6.qjk.j.zha6ztfytyuozc hashing test password... test computed hash: $2a$12$rbblerv4gylay4.zz4fjiorlw423twyqkmv0ejws7mmfd2n3/eiek verifying hash , stored hash both match test password... verify against stored hash: passwords not match verify against computed hash: passwords match
the results indicate password matches hashed password right , there, doesn't match hashed password in database despite being same initial password.
here code hash password , verify it...
public class password { // define bcrypt workload use when generating password hashes. 10-31 valid value. private static int workload = 12; /** * method can used generate string representing account password * suitable storing in database. openbsd-style crypt(3) formatted * hash string of length=60 * bcrypt workload specified in above static variable, value 10 31. * workload of 12 reasonable safe default of 2013. * automatically handles secure 128-bit salt generation , storage within hash. * @param password_plaintext account's plaintext password provided during account creation, * or when changing account's password. * @return string - string of length 60 bcrypt hashed password in crypt(3) format. */ public static string hashpassword(string password_plaintext) { string salt = bcrypt.gensalt(workload); string hashed_password = bcrypt.hashpw(password_plaintext, salt); return(hashed_password); } /** * method can used verify computed hash plaintext (e.g. during login * request) of stored hash database. password hash database * must passed second variable. * @param password_plaintext account's plaintext password, provided during login request * @param stored_hash account's stored password hash, retrieved authorization database * @return boolean - true if password matches password of stored hash, false otherwise */ public static boolean checkpassword(string password_plaintext, string stored_hash) { boolean password_verified = false; if(null == stored_hash || !stored_hash.startswith("$2a$")) throw new java.lang.illegalargumentexception("invalid hash provided comparison"); password_verified = bcrypt.checkpw(password_plaintext, stored_hash); return(password_verified); }
}
i'm not familiar java, seems me got value password input field wrong way, maybe should check out:
// in registration form passwordfield.tostring() // in login form passwordfield.gettext()
Comments
Post a Comment