BCrypt.checkpw() Invalid salt version exception

Question

I\'m trying to implement authentication using BCrypt, in my Play 2.1. Java application, but I\'m getting Invalid salt version exception when I\'m trying to authenti

Answer 1

You have to make sure that the first argument is the plaintext and the second one is the hashed password. This is the function's declaration :

 public static boolean checkpw(String plaintext, String hashed)

Answer 2

I'm very sorry for bothering with this question. I had just one bug in the code that was saving plain string to the DB instead of the BCrypted one. It was whole called from some other part of code.

Answer 3

in my case, I have used {bcrypt} as a prefix during the insertion into db.

instance

{bcrypt}$2a$12$Yb3YagKV8B3AXoY2p/Ldk.L2maVKfNlr2dedk4ZUs/YUlalS8EzYu

when I retrieve the password the whole value including prefix will be returned. So I have excluded the prefix from the hashing value.

String prefix= "{bcrypt}";

String hash_pw= user.getPassword().substring((prefix.length());

BCrypt.checkpw(loginRequest.getPassword(),hash_pw);

Answer 4

For others encountering the same exception, check that you have the BCrypt.checkpw parameters the right way round. (I didn't and therefore found this question before I realised my silly mistake.)

Or as the OP answered himself, log/debug the value of the hashed password to double check you are actually comparing a hashed password! It should be a 60-char string in the format $2a$10$llw0G6IyibUob8h5XRt9xuRczaGdCm/AiV6SSjf5v78XS824EGbh.

Answer 5

I encountered the same problem; Make sure your password is stored in the database in hashed format instead of plain text. Here is a Bcrypt generator to translate your plain text password into a Bcrypt hash.

Answer 6

BCrypt seems to throw this red herring if the 'hash' value you pass in to checkpw(password, hash) isn't even a decipherable value