search

funcool / buddy-hashers

Collection of password hashers.
https://funcool.github.io/buddy-hashers/latest/
Apache License 2.0
75 stars 16 forks source link

How to verify old bcrypt+sha256's hash? #1

Closed ayamada closed 9 years ago

ayamada commented 9 years ago

Hi.

I was used old [buddy "0.2.3"]. [buddy "0.2.3"]'s buddy.hashers.bcrypt/make-password generate bcrypt+sha256 hash by default. I stored these hashes. But, I cannot verify these hashes in [buddy/buddy-hashers "0.3.0"].

How can I verify these hashes?

lein repl in [buddy "0.2.3"];

(require '[buddy.hashers.bcrypt :as bcrypt])

(bcrypt/make-password "test")
=> "bcrypt+sha256$f28554e7f1af3b570320c9fb$2432612431322471734f4f36544b757a2f33617857344c4b6e554669756c4857376d5a334e786f44486b345a78616146614f6b5776797277764f6a32"

(def h (bcrypt/make-password "test"))
(bcrypt/check-password "test" h) => true

lein repl in [buddy/buddy-hashers "0.3.0"];

(require '[buddy.hashers.bcrypt :as bcrypt])

(bcrypt/make-password "test")
=> "bcrypt+sha512$379585305fb52788cd89e8e1$243261243132245837796e7a326f442f78667063425752556f522f504f644e42544c49364879725837776b73624b61767134736b65655a7535674753"
;;; Default hashing algolithm was changed from bcrypt+sha256 to bcrypt+sha512.

;;; Verify old (0.2.3) hash string
(def h "bcrypt+sha256$f28554e7f1af3b570320c9fb$2432612431322471734f4f36544b757a2f33617857344c4b6e554669756c4857376d5a334e786f44486b345a78616146614f6b5776797277764f6a32")
(bcrypt/check-password "test" h)
=> IllegalArgumentException invalid type of hasher  buddy.hashers.bcrypt/check-password (bcrypt.clj:48)

;;; I tested new buddy.hashers interface, but cannot verify old hash string too.
(require '[buddy.hashers :as hashers])
(hashers/check "test" h)
=> NullPointerException   buddy.core.codecs/hex->bytes (codecs.clj:40)
niwinz commented 9 years ago

Hi @ayamada

buddy 0.2.3 has a bug on bcrypt password hasher. It publicy specifies that is :bcrypt+sha256 but internally uses sha512. In buddy 0.3.0 that bug is fixed, changing the algoritthm identifier to :bcrypt-sha512.

Try replace the "sha256" part of your hash with sha512 and try validate it. If it works, the solution is make the replacement to all your hashers.

Sorry for inconvenience.

ayamada commented 9 years ago

Hi @niwibe

I replace old hash string from bcrypt+sha256$ to bcrypt+sha512$, and it passed to buddy.hashers.bcrypt/check-password.

Thanks for your response!

niwinz commented 9 years ago

Great! ;)