locked
Verify Passwords with BCrypt-Official RRS feed

  • Question

  • User-1532731623 posted

    Hi all,

    I'm having difficulties using the BCrypt-Offical NuGet package.

    On my registration form the code I have to hash passwords is:

    int cost = 12;
    string passwordHash = BCrypt.Net.BCrypt.HashPassword(passwordTxt.Text, cost);
    cmd.Parameters.AddWithValue("password", passwordHash);

    This code works fine and I can see that the passwords have been hashed in the database.

    The code I have to verify my passwords:

    int cost = 12;
    string passwordHash = BCrypt.Net.BCrypt.HashPassword(passwordTxt.Text, cost);
    
    bool correctPassword = BCrypt.Net.BCrypt.Verify(storedPassword, passwordHash);
    
    if (correctPassword == true)
    {
        Response.Redirect("Default.aspx");
    }
    else
    {
        loginOutput.Text = "Try again";
    }

    The output is always try again, but I am using the same cost in both hashing and verification.

    Any help would be great, thanks!

    Jack

    Tuesday, June 6, 2017 12:08 PM

Answers

  • User-821857111 posted

    According to the documentation, the Verify method takes the supplied password and the previously hashed password:

    public static bool Verify(
    	string text,
    	string hash
    )

    Parameters

    text
    Type: System..::..String
    The text to verify.
    hash
    Type: System..::..String
    The previously-hashed password.

    Return Value

    true if the passwords match, false otherwise.

    You shouldn't hash the submitted password, and you should pass it as the first parameter:

    bool correctPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 1:53 PM
  • User-1532731623 posted

    I've got an update for my problem:

    (I've managed to get the documentation)

    This is the new code for my password:

     bool verifyPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);

    With the IF statement underneath:

    if (verifyPassword == true)
                {
                    Session["FirstName"] = firstName;
                    Session["username"] = username;
                    Session["admin"] = admin;
                    Session["active"] = true;
    
                    Response.Redirect("Default.aspx");
                }
                else
                {
                    loginOutput.Text = "Username or password incorrect. Try again..";
                    MessageBox.Show(storedPassword.ToString());
                }

    The MessageBox always shows the hashed password from the DB, but for some reason the password is not verifying correctly.

    Is there anything I need to change?

    EDIT:

    I have changed the Data Type in my DB to VARCHAR, I can now login and it works fine. Thanks for your help!

    Jack

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 5:54 PM

All replies

  • User-821857111 posted

    According to the documentation, the Verify method takes the supplied password and the previously hashed password:

    public static bool Verify(
    	string text,
    	string hash
    )

    Parameters

    text
    Type: System..::..String
    The text to verify.
    hash
    Type: System..::..String
    The previously-hashed password.

    Return Value

    true if the passwords match, false otherwise.

    You shouldn't hash the submitted password, and you should pass it as the first parameter:

    bool correctPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 1:53 PM
  • User-1532731623 posted

    Hi Mike,

    Thanks for your help.

    I've changed the bool to your suggestion and I'm still getting the password incorrect message. Do I need to add the public static bool from your post?

    If so, where do I need to insert it?

    Thanks,
    Jack

    Tuesday, June 6, 2017 2:43 PM
  • User-1532731623 posted

    I've got an update for my problem:

    (I've managed to get the documentation)

    This is the new code for my password:

     bool verifyPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);

    With the IF statement underneath:

    if (verifyPassword == true)
                {
                    Session["FirstName"] = firstName;
                    Session["username"] = username;
                    Session["admin"] = admin;
                    Session["active"] = true;
    
                    Response.Redirect("Default.aspx");
                }
                else
                {
                    loginOutput.Text = "Username or password incorrect. Try again..";
                    MessageBox.Show(storedPassword.ToString());
                }

    The MessageBox always shows the hashed password from the DB, but for some reason the password is not verifying correctly.

    Is there anything I need to change?

    EDIT:

    I have changed the Data Type in my DB to VARCHAR, I can now login and it works fine. Thanks for your help!

    Jack

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 5:54 PM