BCrypt.checkpw() Invalid salt version exception

前端 未结 7 1571
一生所求
一生所求 2021-02-05 05:45

I\'m trying to implement authentication using BCrypt, in my Play 2.1. Java application, but I\'m getting Invalid salt version exception when I\'m trying to authenti

相关标签:
7条回答
  • 2021-02-05 05:53

    You have to make sure that the first argument is the plaintext and the second one is the hashed password. This is the function's declaration :

     public static boolean checkpw(String plaintext, String hashed)
    
    0 讨论(0)
  • 2021-02-05 05:56

    I'm very sorry for bothering with this question. I had just one bug in the code that was saving plain string to the DB instead of the BCrypted one. It was whole called from some other part of code.

    0 讨论(0)
  • 2021-02-05 05:58

    in my case, I have used {bcrypt} as a prefix during the insertion into db.

    instance

    {bcrypt}$2a$12$Yb3YagKV8B3AXoY2p/Ldk.L2maVKfNlr2dedk4ZUs/YUlalS8EzYu
    

    when I retrieve the password the whole value including prefix will be returned. So I have excluded the prefix from the hashing value.

    String prefix= "{bcrypt}";
    
    String hash_pw= user.getPassword().substring((prefix.length());
    
    BCrypt.checkpw(loginRequest.getPassword(),hash_pw);
    
    0 讨论(0)
  • 2021-02-05 05:59

    For others encountering the same exception, check that you have the BCrypt.checkpw parameters the right way round. (I didn't and therefore found this question before I realised my silly mistake.)

    Or as the OP answered himself, log/debug the value of the hashed password to double check you are actually comparing a hashed password! It should be a 60-char string in the format $2a$10$llw0G6IyibUob8h5XRt9xuRczaGdCm/AiV6SSjf5v78XS824EGbh.

    0 讨论(0)
  • 2021-02-05 06:04

    I encountered the same problem; Make sure your password is stored in the database in hashed format instead of plain text. Here is a Bcrypt generator to translate your plain text password into a Bcrypt hash.

    0 讨论(0)
  • 2021-02-05 06:08

    BCrypt seems to throw this red herring if the 'hash' value you pass in to checkpw(password, hash) isn't even a decipherable value

    0 讨论(0)
提交回复
热议问题