从MySQL数据库验证散列密码 [英] Verifying Hashed Password From MySQL Database

问题描述

我在Eclipse中使用Java，并且在创建新用户时将哈希密码存储在数据库中。这是用这个代码完成的。

I am using Java in Eclipse and am storing a hashed password in my database when a new user is created. This is done with this code..

String hashed_password = Password.hashPassword(passwordField.toString());
String query = "insert into user (username, password, usertype, license_code) values (?, ?, ?, ?)";
PreparedStatement pst = connection.prepareStatement(query);
pst.setString(1, userNameTextField.getText());
pst.setString(2, hashed_password);

我忽略了一些与密码无关的其他细节，但是，我的哈希值是存储在数据库。然后我登录，并执行以下代码...

I left out out some other details not associated with the password, however, my hashed value is stores in the database. I then login, and do the following code...

String test_passwd = passwordField.getText();
String test_hash = "$2a$12$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC";

System.out.println("Testing BCrypt Password hashing and verification");
System.out.println("Test password: " + test_passwd);
System.out.println("Test stored hash: " + test_hash);
System.out.println("Hashing test password...");
System.out.println();

String computed_hash = Password.hashPassword(test_passwd);
System.out.println("Test computed hash: " + computed_hash);
System.out.println();
System.out.println("Verifying that hash and stored hash both match for the test password...");
System.out.println();

String compare_test = Password.checkPassword(test_passwd, test_hash)
? "Passwords Match" : "Passwords do not match";
String compare_computed = Password.checkPassword(test_passwd, computed_hash)
? "Passwords Match" : "Passwords do not match";

System.out.println("Verify against stored hash:   " + compare_test);
System.out.println("Verify against computed hash: " + compare_computed);

test_hash变量是从新用户代码存储在数据库中的哈希密码。当我登录时，我知道我使用的密码与新用户提示符中使用的密码相同。

The test_hash variable is the hashed password that is stored in the database from the new user code. When I login, I know that I am using the same password that I used in the new user prompt.

然而，这里是我的结果：

However, here are my results:

Test stored hash: $2a$12$N773YstmtU/1zIUe9An.r.P9U5BQp4o6.Qjk.J.zhA6ZtFytYuOZC
Hashing test password...

Test computed hash: $2a$12$rbBleRV4gyLaY4.ZZ4fjiOrLW423TWYqKmv0ejws7mmFd2N3/eieK

Verifying that hash and stored hash both match for the test password...

Verify against stored hash:   Passwords do not match
Verify against computed hash: Passwords Match

结果表明密码与当时和当前的散列密码匹配，但与散列不匹配数据库中的密码尽管是相同的初始密码。

The results indicate that the password matches the hashed password right then and there, but doesn't match the hashed password in the database despite being the same initial password.

以下是我对密码进行哈希处理并验证它的代码...

Here is the code where I hash the password and verify it...

public class Password {
// Define the BCrypt workload to use when generating password hashes. 10-31 is a valid value.
private static int workload = 12;

/**
 * This method can be used to generate a string representing an account password
 * suitable for storing in a database. It will be an OpenBSD-style crypt(3) formatted
 * hash string of length=60
 * The bcrypt workload is specified in the above static variable, a value from 10 to 31.
 * A workload of 12 is a very reasonable safe default as of 2013.
 * This automatically handles secure 128-bit salt generation and storage within the hash.
 * @param password_plaintext The account's plaintext password as provided during account creation,
 *               or when changing an account's password.
 * @return String - a string of length 60 that is the bcrypt hashed password in crypt(3) format.
 */
public static String hashPassword(String password_plaintext) {
    String salt = BCrypt.gensalt(workload);
    String hashed_password = BCrypt.hashpw(password_plaintext, salt);

    return(hashed_password);
}

/**
 * This method can be used to verify a computed hash from a plaintext (e.g. during a login
 * request) with that of a stored hash from a database. The password hash from the database
 * must be passed as the second variable.
 * @param password_plaintext The account's plaintext password, as provided during a login request
 * @param stored_hash The account's stored password hash, retrieved from the authorization database
 * @return boolean - true if the password matches the password of the stored hash, false otherwise
 */
public static boolean checkPassword(String password_plaintext, String stored_hash) {
    boolean password_verified = false;

    if(null == stored_hash || !stored_hash.startsWith("$2a$"))
        throw new java.lang.IllegalArgumentException("Invalid hash provided for comparison");

    password_verified = BCrypt.checkpw(password_plaintext, stored_hash);

    return(password_verified);
}

}

}

推荐答案

我对Java并不熟悉，但在我看来，您从密码输入字段中以错误的方式获得了值，也许您应该检查一下：

I'm not familiar with Java, but it seems to me that you got the value from the password input field the wrong way, maybe you should check this out:

// In the registration form
passwordField.toString()

// In the login form
passwordField.getText()

这篇关于从MySQL数据库验证散列密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！