chrisvoo/bcrypt.txt

## bcrypt.txt
/* $2$(2 chars work)$(22 chars salt)(31 chars hash)
 * 2 - the original BCrypt, which has been deprecated because of a security issue a long time before BCrypt became popular.
 * 2a - the official BCrypt algorithm and a insecure implementation in crypt_blowfish
 * 2x - suggested for hashes created by the insecure algorithm for compatibility
 * 2y - suggested new marker for the fixed crypt_blowfish
 *
 * So 2a hashes created by the original algorithm or the java port are fine, and identical to 2y-hashes created by
 * crypt_blowfish. But 2a hashes created by crypt_blowfish are insecure. */


// Java Spring Security 4+
// http://stackoverflow.com/questions/29740597/is-spring-securitys-bcrypt-implementation-vulnerable
// not interoperable with PHP $2y, just replace it
String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
System.out.println(hashedPassword);

// PHP 5.5+
// http://php.net/password_hash
// http://php.net/password_verify
$hash = password_hash("plaintextPassword", PASSWORD_BCRYPT, array("cost" => 11));
echo $hash;
if(password_verify("plaintextPassword", $hash))
   echo "password ok";
else
   echo "password FAIL";

-- PostgreSQL 8.4+
-- http://www.postgresql.org/docs/9.4/static/pgcrypto.html
CREATE EXTENSION pgcrypto;
SELECT crypt('plaintextPassword', gen_salt('bf', 11));
-- $2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS
SELECT crypt('plaintextPassword', '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS') = '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS'


# Python
# pip install bcrypt
# https://code.google.com/p/py-bcrypt/
# https://pypi.python.org/pypi/bcrypt
import bcrypt

# gensalt's log_rounds parameter determines the complexity.
# The work factor is 2**log_rounds, and the default is 12
hashed = bcrypt.hashpw(password, bcrypt.gensalt(10));

# Check that an unencrypted password matches one that has
# previously been hashed
if bcrypt.hashpw(password, hashed) == hashed:
        print "It matches"
else:
        print "It does not match"
	/* $2$(2 chars work)$(22 chars salt)(31 chars hash)
	* 2 - the original BCrypt, which has been deprecated because of a security issue a long time before BCrypt became popular.
	* 2a - the official BCrypt algorithm and a insecure implementation in crypt_blowfish
	* 2x - suggested for hashes created by the insecure algorithm for compatibility
	* 2y - suggested new marker for the fixed crypt_blowfish
	*
	* So 2a hashes created by the original algorithm or the java port are fine, and identical to 2y-hashes created by
	* crypt_blowfish. But 2a hashes created by crypt_blowfish are insecure. */


	// Java Spring Security 4+
	// http://stackoverflow.com/questions/29740597/is-spring-securitys-bcrypt-implementation-vulnerable
	// not interoperable with PHP $2y, just replace it
	String password = "plaintextPassword";
	PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
	String hashedPassword = passwordEncoder.encode(password);
	System.out.println(hashedPassword);

	// PHP 5.5+
	// http://php.net/password_hash
	// http://php.net/password_verify
	$hash = password_hash("plaintextPassword", PASSWORD_BCRYPT, array("cost" => 11));
	echo $hash;
	if(password_verify("plaintextPassword", $hash))
	echo "password ok";
	else
	echo "password FAIL";

	-- PostgreSQL 8.4+
	-- http://www.postgresql.org/docs/9.4/static/pgcrypto.html
	CREATE EXTENSION pgcrypto;
	SELECT crypt('plaintextPassword', gen_salt('bf', 11));
	-- $2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS
	SELECT crypt('plaintextPassword', '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS') = '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS'


	# Python
	# pip install bcrypt
	# https://code.google.com/p/py-bcrypt/
	# https://pypi.python.org/pypi/bcrypt
	import bcrypt

	# gensalt's log_rounds parameter determines the complexity.
	# The work factor is 2**log_rounds, and the default is 12
	hashed = bcrypt.hashpw(password, bcrypt.gensalt(10));

	# Check that an unencrypted password matches one that has
	# previously been hashed
	if bcrypt.hashpw(password, hashed) == hashed:
	print "It matches"
	else:
	print "It does not match"