Aaron Aaron - 1 year ago 53
Python Question

Comparing password to encrypted passwork using bcryt in Django

I am trying to compare a user entered password field to a password that has been encrypted. I have looked at the documentation and have not been able to find what I have been looking for. I encrypt the password using

pw_bytes = password.encode('utf-8')
hashed = bcrypt.hashpw(pw_bytes, bcrypt.gensalt())

If I re-encrypt the password, it gives me a different hash. How do I deencrypt the password from my db, or re-encrypt the password the user provided so that they match?

Answer Source

You need to save the results of bcrypt.gensalt() with the encrypted password and pass it again to bcrypt() when you hash the later password attempt.

The point of the salt is to make your hashes unique per user - said another way, if two users use the same password the hashes should ideally be different.

This salt is to protect your passwords should all the hashes be compromised.

Someone could run a hash against every word in a dictionary and then look through your hashes for matches. These lookup tables are called rainbow tables.

If done properly, each password has a unique salt. The rainbow table would then need to have an entry for every word in the dictionary combined with every possible salt combination. This multiplies the required size of an already large table.