search

funcool / buddy-hashers

Collection of password hashers.
https://funcool.github.io/buddy-hashers/latest/
Apache License 2.0
75 stars 16 forks source link

Password hash retrieved from postgres table fails check on known password #14

Closed dadair-ca closed 7 years ago

dadair-ca commented 7 years ago

Hello!

I've defined some user records:

(def fixtures
  {:accounts
   [{:email "admin@koi.com"
     :role "admin"
     :password (hashers/derive "secret")}
    {:email "modeller@koi.com"
     :role "modeller"
     :password (hashers/derive "secret")}
    {:email "user@koi.com"
     :role "user"
     :password (hashers/derive "secret")}]})

And created records for them in the DB:

              account_id              |         email         |                                              password                                              | account_role 
--------------------------------------+-----------------------+----------------------------------------------------------------------------------------------------+--------------
 d1780be7-c1aa-40e1-ac91-9a1e4c7707e3 | admin@koi.com         | bcrypt+sha512$7708368de625ddfea06b594f75ddd796$12$0feac3c9db26080485a43cc3634d7a877e7ec1b8991ae6de | admin
 d422c4a5-f097-47cc-b784-254758881b63 | modeller@koi.com      | bcrypt+sha512$75e444fde322a91437789b70ce1b5fb4$12$3d591850c3f37358ddca00406dc9741eff17de4d30fd4c11 | modeller
 17ebcd92-ca77-44ae-a34e-37ae8dcdb39d | user@koi.com          | bcrypt+sha512$94b41198a8340e5806c74d8c2959a587$12$bec31ff6f2527e7bf717ceda7b7b285c19c36e58151df805 | user

However, when I try to (hashers/check "secret" (:password ..)) on any of the records, I get false back. This happens if I manually copy the password text into the check as well. Note that this only happens when I re-run the application. If I create a record, and check the hash in the same REPL session, then the check passes. I thought this may be due to the salt (I'm not specifying it, and therefore it's using the default (random-bytes 12)), but that's stored in the hash string, so that shouldn't be an issue.

Details: (1) algorithm: bcrypt+sha512 (I'm using defaults for both derive and check) (2) SQL type: varchar(98)

Have you encountered this in the past, or do you have an idea of what error I may be making on my end?

dadair-ca commented 7 years ago

I had my own programmatic error, where I was accidentally hashing the already hashed password.