[web2py] Re: How to check if plain text password matches with encrypted password in auth_user.password?

Sat, 06 Apr 2013 09:28:30 -0700 

This was explained many times before. You should look into the docstring of 
the CRYPT validator for examples and explanations. The bottom line is that

db.auth_user.password.validate(...) calls a crypt validator which returns 
(lazy_crypt(...), None or  'error')

The lazy_crypt object is not a string but it can be be comparer with a 
string and serialized into a string.

lazy_crypt(...) == 'hashed.... password'  reads the salt from the right 
hand side in order to perform a comparison.

Massimo


On Friday, 5 April 2013 14:02:39 UTC-5, OrrĂ¹ wrote:
>
>
> suppose password='12345' and db.auth_user.first_name=='Lucas'
> so i find user by first_name,
> row_user=db(db.auth_user.first_name=='Lucas').select().first()
> and 
>
> row_user.password='pbkdf2(1000,20,sha512)$97448b22487eca1d$dae65c0429430b7ae7bb311fed8e844b6a37ff30'
>
> db.auth_user.password.validate('12345') == (db(db.auth_user.id==
> row_user.id).select ().first ().password, None) 
> return False
> CRYPT()('12345')==(row_user.password,None)
> also returns false
>
> where I am going wrong?
>
> On Friday, December 21, 2012 11:12:26 PM UTC-2, Pearu Peterson wrote:
>>
>> Hi,
>>
>> I have a password in plain text and I want to check if it matches with 
>> the crypted password in auth_user.password field.
>>
>> I have tried comparing auth_user.password with 
>> str(db.auth_user.password.validate(plain_password)[0]) with no success even 
>> when I know that the passwords match exactly.
>>
>> The problem seems to boil down to the fact that encryption of the same 
>> string results different encrypted strings. For example,
>> >>> from gluon.validators import CRYPT, LazyCrypt
>> >>> crypt = CRYPT()
>> >>> str(LazyCrypt(crypt, 'mysecret'))
>>     
>> 'pbkdf2(1000,20,sha512)$a2a2ca127df6bc19$77bb5a3d129e2ce710daaefeefef8356c4c827ff'
>> >>> str(LazyCrypt(crypt, 'mysecret'))
>>     
>> 'pbkdf2(1000,20,sha512)$a555a267249876fb$bc18f82b72a3a5ebce617f32d6abaa5c48734ab9'
>>
>> What would be the correct way to check if passwords match when they are 
>> given in encrypted form?
>>
>> Any hints are appreciated,
>> Pearu
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to