0

I am trying to compare a user entered password field to a password that has been hashed. I have looked at the documentation and have not been able to find what I have been looking for. I hash the password using 

pw_bytes = password.encode('utf-8')
hashed = bcrypt.hashpw(pw_bytes, bcrypt.gensalt())

If I re-hash the password, it gives me a different hash. How do I dehash the password from my db, or re-hash the password the user provided so that they match?

1615903
  • 25,960
  • 9
  • 55
  • 82
Aaron
  • 3,790
  • 11
  • 69
  • 121
  • 1
    Your salt is different every time you run this. It SHOULD be a different hash each time. If you want a repeatable hash you need to store the salt as well. – Tieson T. Jun 18 '16 at 17:27
  • So I should store the salt in my db? – Aaron Jun 18 '16 at 17:29
  • Yes. You normally store a salt with each user record. I would recommend changing the salt whenever the user changes their password, as well. – Tieson T. Jun 18 '16 at 17:31

1 Answers1

3

You need to save the results of bcrypt.gensalt() with the encrypted password and pass it again to bcrypt() when you hash the later password attempt.

The point of the salt is to make your hashes unique per user - said another way, if two users use the same password the hashes should ideally be different.

This salt is to protect your passwords should all the hashes be compromised.

Someone could run a hash against every word in a dictionary and then look through your hashes for matches. These lookup tables are called rainbow tables.

If done properly, each password has a unique salt. The rainbow table would then need to have an entry for every word in the dictionary combined with every possible salt combination. This multiplies the required size of an already large table.

Community
  • 1
  • 1
rrauenza
  • 5,161
  • 4
  • 27
  • 45