locked
Verify Passwords with BCrypt-Official RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1532731623 posted

    Hi all,

    I'm having difficulties using the BCrypt-Offical NuGet package.

    On my registration form the code I have to hash passwords is:

    int cost = 12;
string passwordHash = BCrypt.Net.BCrypt.HashPassword(passwordTxt.Text, cost);
cmd.Parameters.AddWithValue("password", passwordHash);

    This code works fine and I can see that the passwords have been hashed in the database.

    The code I have to verify my passwords:

    int cost = 12;
string passwordHash = BCrypt.Net.BCrypt.HashPassword(passwordTxt.Text, cost);

bool correctPassword = BCrypt.Net.BCrypt.Verify(storedPassword, passwordHash);

if (correctPassword == true)
{
    Response.Redirect("Default.aspx");
}
else
{
    loginOutput.Text = "Try again";
}

    The output is always try again, but I am using the same cost in both hashing and verification.

    Any help would be great, thanks!

    Jack

    Tuesday, June 6, 2017 12:08 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-821857111 posted

    According to the documentation, the Verify method takes the supplied password and the previously hashed password:

    public static bool Verify(
	string text,
	string hash
)

    Parameters

    text
    Type: System..::..String
    The text to verify.
    hash
    Type: System..::..String
    The previously-hashed password.

    Return Value

    true if the passwords match, false otherwise.

    You shouldn't hash the submitted password, and you should pass it as the first parameter:

    bool correctPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 1:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1532731623 posted

    I've got an update for my problem:

    (I've managed to get the documentation)

    This is the new code for my password:

     bool verifyPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);

    With the IF statement underneath:

    if (verifyPassword == true)
            {
                Session["FirstName"] = firstName;
                Session["username"] = username;
                Session["admin"] = admin;
                Session["active"] = true;

                Response.Redirect("Default.aspx");
            }
            else
            {
                loginOutput.Text = "Username or password incorrect. Try again..";
                MessageBox.Show(storedPassword.ToString());
            }

    The MessageBox always shows the hashed password from the DB, but for some reason the password is not verifying correctly.

    Is there anything I need to change?

    EDIT:

    I have changed the Data Type in my DB to VARCHAR, I can now login and it works fine. Thanks for your help!

    Jack

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 5:54 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-821857111 posted

    According to the documentation, the Verify method takes the supplied password and the previously hashed password:

    public static bool Verify(
	string text,
	string hash
)

    Parameters

    text
    Type: System..::..String
    The text to verify.
    hash
    Type: System..::..String
    The previously-hashed password.

    Return Value

    true if the passwords match, false otherwise.

    You shouldn't hash the submitted password, and you should pass it as the first parameter:

    bool correctPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 1:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1532731623 posted

    Hi Mike,

    Thanks for your help.

    I've changed the bool to your suggestion and I'm still getting the password incorrect message. Do I need to add the public static bool from your post?

    If so, where do I need to insert it?

    Thanks,
    Jack

    Tuesday, June 6, 2017 2:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1532731623 posted

    I've got an update for my problem:

    (I've managed to get the documentation)

    This is the new code for my password:

     bool verifyPassword = BCrypt.Net.BCrypt.Verify(passwordTxt.Text, storedPassword);

    With the IF statement underneath:

    if (verifyPassword == true)
            {
                Session["FirstName"] = firstName;
                Session["username"] = username;
                Session["admin"] = admin;
                Session["active"] = true;

                Response.Redirect("Default.aspx");
            }
            else
            {
                loginOutput.Text = "Username or password incorrect. Try again..";
                MessageBox.Show(storedPassword.ToString());
            }

    The MessageBox always shows the hashed password from the DB, but for some reason the password is not verifying correctly.

    Is there anything I need to change?

    EDIT:

    I have changed the Data Type in my DB to VARCHAR, I can now login and it works fine. Thanks for your help!

    Jack

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 6, 2017 5:54 PM