Skip to content

Instantly share code, notes, and snippets.

@chrisvoo
Last active October 6, 2016 04:12
Show Gist options
  • Save chrisvoo/ce9282cfa57e4b087b6e to your computer and use it in GitHub Desktop.
Save chrisvoo/ce9282cfa57e4b087b6e to your computer and use it in GitHub Desktop.
BCrypt implementations
/* $2$(2 chars work)$(22 chars salt)(31 chars hash)
* 2 - the original BCrypt, which has been deprecated because of a security issue a long time before BCrypt became popular.
* 2a - the official BCrypt algorithm and a insecure implementation in crypt_blowfish
* 2x - suggested for hashes created by the insecure algorithm for compatibility
* 2y - suggested new marker for the fixed crypt_blowfish
*
* So 2a hashes created by the original algorithm or the java port are fine, and identical to 2y-hashes created by
* crypt_blowfish. But 2a hashes created by crypt_blowfish are insecure. */
// Java Spring Security 4+
// http://stackoverflow.com/questions/29740597/is-spring-securitys-bcrypt-implementation-vulnerable
// not interoperable with PHP $2y, just replace it
String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);
System.out.println(hashedPassword);
// PHP 5.5+
// http://php.net/password_hash
// http://php.net/password_verify
$hash = password_hash("plaintextPassword", PASSWORD_BCRYPT, array("cost" => 11));
echo $hash;
if(password_verify("plaintextPassword", $hash))
echo "password ok";
else
echo "password FAIL";
-- PostgreSQL 8.4+
-- http://www.postgresql.org/docs/9.4/static/pgcrypto.html
CREATE EXTENSION pgcrypto;
SELECT crypt('plaintextPassword', gen_salt('bf', 11));
-- $2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS
SELECT crypt('plaintextPassword', '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS') = '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS'
# Python
# pip install bcrypt
# https://code.google.com/p/py-bcrypt/
# https://pypi.python.org/pypi/bcrypt
import bcrypt
# gensalt's log_rounds parameter determines the complexity.
# The work factor is 2**log_rounds, and the default is 12
hashed = bcrypt.hashpw(password, bcrypt.gensalt(10));
# Check that an unencrypted password matches one that has
# previously been hashed
if bcrypt.hashpw(password, hashed) == hashed:
print "It matches"
else:
print "It does not match"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment