从 MySQL 数据库验证散列密码
Verifying Hashed Password From MySQL Database
我在 Eclipse 中使用 Java,并在创建新用户时将散列密码存储在我的数据库中。这是用这段代码完成的..
String hashed_password = Password.hashPassword(passwordField.toString());
String query = "insert into user (username, password, usertype, license_code) values (?, ?, ?, ?)";
PreparedStatement pst = connection.prepareStatement(query);
pst.setString(1, userNameTextField.getText());
pst.setString(2, hashed_password);
我遗漏了一些与密码无关的其他细节,但是,我的散列值存储在数据库中。然后我登录,并执行以下代码...
String test_passwd = passwordField.getText();
String test_hash = "a$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC";
System.out.println("Testing BCrypt Password hashing and verification");
System.out.println("Test password: " + test_passwd);
System.out.println("Test stored hash: " + test_hash);
System.out.println("Hashing test password...");
System.out.println();
String computed_hash = Password.hashPassword(test_passwd);
System.out.println("Test computed hash: " + computed_hash);
System.out.println();
System.out.println("Verifying that hash and stored hash both match for the test password...");
System.out.println();
String compare_test = Password.checkPassword(test_passwd, test_hash)
? "Passwords Match" : "Passwords do not match";
String compare_computed = Password.checkPassword(test_passwd, computed_hash)
? "Passwords Match" : "Passwords do not match";
System.out.println("Verify against stored hash: " + compare_test);
System.out.println("Verify against computed hash: " + compare_computed);
test_hash 变量是从新用户代码存储在数据库中的散列密码。当我登录时,我知道我使用的密码与我在新用户提示中使用的密码相同。
但是,这是我的结果:
Test stored hash: a$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC
Hashing test password...
Test computed hash: a$rbBleRV4gyLaY4.ZZ4fjiOrLW423TWYqKmv0ejws7mmFd2N3/eieK
Verifying that hash and stored hash both match for the test password...
Verify against stored hash: Passwords do not match
Verify against computed hash: Passwords Match
结果表明密码当时和那里的哈希密码匹配,但与数据库中的哈希密码不匹配,尽管初始密码相同。
这是我对密码进行哈希处理并验证它的代码...
public class Password {
// Define the BCrypt workload to use when generating password hashes. 10-31 is a valid value.
private static int workload = 12;
/**
* This method can be used to generate a string representing an account password
* suitable for storing in a database. It will be an OpenBSD-style crypt(3) formatted
* hash string of length=60
* The bcrypt workload is specified in the above static variable, a value from 10 to 31.
* A workload of 12 is a very reasonable safe default as of 2013.
* This automatically handles secure 128-bit salt generation and storage within the hash.
* @param password_plaintext The account's plaintext password as provided during account creation,
* or when changing an account's password.
* @return String - a string of length 60 that is the bcrypt hashed password in crypt(3) format.
*/
public static String hashPassword(String password_plaintext) {
String salt = BCrypt.gensalt(workload);
String hashed_password = BCrypt.hashpw(password_plaintext, salt);
return(hashed_password);
}
/**
* This method can be used to verify a computed hash from a plaintext (e.g. during a login
* request) with that of a stored hash from a database. The password hash from the database
* must be passed as the second variable.
* @param password_plaintext The account's plaintext password, as provided during a login request
* @param stored_hash The account's stored password hash, retrieved from the authorization database
* @return boolean - true if the password matches the password of the stored hash, false otherwise
*/
public static boolean checkPassword(String password_plaintext, String stored_hash) {
boolean password_verified = false;
if(null == stored_hash || !stored_hash.startsWith("a$"))
throw new java.lang.IllegalArgumentException("Invalid hash provided for comparison");
password_verified = BCrypt.checkpw(password_plaintext, stored_hash);
return(password_verified);
}
}
我怀疑您在将哈希存储在数据库中或检索它时,或两者都将错误引入哈希中。
尝试将散列存储在数据库中并以非编程方式检索它以将其与您生成的散列进行比较。如果它们相同,请尝试以编程方式检索它并比较它以查看是否引入了任何错误。
我不熟悉 Java,但在我看来,您从密码输入字段中获取值的方式有误,也许您应该检查一下:
// In the registration form
passwordField.toString()
// In the login form
passwordField.getText()
我在 Eclipse 中使用 Java,并在创建新用户时将散列密码存储在我的数据库中。这是用这段代码完成的..
String hashed_password = Password.hashPassword(passwordField.toString());
String query = "insert into user (username, password, usertype, license_code) values (?, ?, ?, ?)";
PreparedStatement pst = connection.prepareStatement(query);
pst.setString(1, userNameTextField.getText());
pst.setString(2, hashed_password);
我遗漏了一些与密码无关的其他细节,但是,我的散列值存储在数据库中。然后我登录,并执行以下代码...
String test_passwd = passwordField.getText();
String test_hash = "a$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC";
System.out.println("Testing BCrypt Password hashing and verification");
System.out.println("Test password: " + test_passwd);
System.out.println("Test stored hash: " + test_hash);
System.out.println("Hashing test password...");
System.out.println();
String computed_hash = Password.hashPassword(test_passwd);
System.out.println("Test computed hash: " + computed_hash);
System.out.println();
System.out.println("Verifying that hash and stored hash both match for the test password...");
System.out.println();
String compare_test = Password.checkPassword(test_passwd, test_hash)
? "Passwords Match" : "Passwords do not match";
String compare_computed = Password.checkPassword(test_passwd, computed_hash)
? "Passwords Match" : "Passwords do not match";
System.out.println("Verify against stored hash: " + compare_test);
System.out.println("Verify against computed hash: " + compare_computed);
test_hash 变量是从新用户代码存储在数据库中的散列密码。当我登录时,我知道我使用的密码与我在新用户提示中使用的密码相同。
但是,这是我的结果:
Test stored hash: a$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC
Hashing test password...
Test computed hash: a$rbBleRV4gyLaY4.ZZ4fjiOrLW423TWYqKmv0ejws7mmFd2N3/eieK
Verifying that hash and stored hash both match for the test password...
Verify against stored hash: Passwords do not match
Verify against computed hash: Passwords Match
结果表明密码当时和那里的哈希密码匹配,但与数据库中的哈希密码不匹配,尽管初始密码相同。
这是我对密码进行哈希处理并验证它的代码...
public class Password {
// Define the BCrypt workload to use when generating password hashes. 10-31 is a valid value.
private static int workload = 12;
/**
* This method can be used to generate a string representing an account password
* suitable for storing in a database. It will be an OpenBSD-style crypt(3) formatted
* hash string of length=60
* The bcrypt workload is specified in the above static variable, a value from 10 to 31.
* A workload of 12 is a very reasonable safe default as of 2013.
* This automatically handles secure 128-bit salt generation and storage within the hash.
* @param password_plaintext The account's plaintext password as provided during account creation,
* or when changing an account's password.
* @return String - a string of length 60 that is the bcrypt hashed password in crypt(3) format.
*/
public static String hashPassword(String password_plaintext) {
String salt = BCrypt.gensalt(workload);
String hashed_password = BCrypt.hashpw(password_plaintext, salt);
return(hashed_password);
}
/**
* This method can be used to verify a computed hash from a plaintext (e.g. during a login
* request) with that of a stored hash from a database. The password hash from the database
* must be passed as the second variable.
* @param password_plaintext The account's plaintext password, as provided during a login request
* @param stored_hash The account's stored password hash, retrieved from the authorization database
* @return boolean - true if the password matches the password of the stored hash, false otherwise
*/
public static boolean checkPassword(String password_plaintext, String stored_hash) {
boolean password_verified = false;
if(null == stored_hash || !stored_hash.startsWith("a$"))
throw new java.lang.IllegalArgumentException("Invalid hash provided for comparison");
password_verified = BCrypt.checkpw(password_plaintext, stored_hash);
return(password_verified);
}
}
我怀疑您在将哈希存储在数据库中或检索它时,或两者都将错误引入哈希中。
尝试将散列存储在数据库中并以非编程方式检索它以将其与您生成的散列进行比较。如果它们相同,请尝试以编程方式检索它并比较它以查看是否引入了任何错误。
我不熟悉 Java,但在我看来,您从密码输入字段中获取值的方式有误,也许您应该检查一下:
// In the registration form
passwordField.toString()
// In the login form
passwordField.getText()