3

I want to make register page in php and make the password hashed with bcrypt and put in database.

I also want to make a login system in Java, and get the password in the same password, using jbcrypt.

How can I make jbcrypt and bcrypt in php compatible, with the same salt.

garyh
  • 2,782
  • 1
  • 26
  • 28
Sandro Medeiros
  • 41
  • 1
  • 3

3 Answers3

5

you can check out this:

https://github.com/ircmaxell/password_compat/issues/49

that's worked for me:

public static void main(String[] args) {
    //Laravel bcrypt out
    String hash_php = "$2y$10$ss9kwE8iSIqcJOAPhZR0Y.2XdYXJTFJ1/wGq6SUv74vULE7uhKUIO".replaceFirst("2y", "2a");
    System.out.println("hash php " + hash_php);
    //String a_hash = BCrypt.hashpw("123456", BCrypt.gensalt());
    //System.out.println("Encrypt " + a_hash);
    if (BCrypt.checkpw("123456", hash_php)) {
        System.out.println("It matches");
    } else {
        System.out.println("It does not match");
    }
    //mtPruebaRecuperarClave();

}

Console - OutPut

[1]

I hope that's help You.

Omal Perera
  • 2,971
  • 3
  • 21
  • 26
Cristian David Ippolito
  • 103
  • 8
4

The problem is that PHP with it's password_hash() has it's own version scheme due to the fact that previous implementations had breaking bugs and it should be possible to recognize the old hashes.

So the version used by OpenBSD is $2a$ (will be $2b$ in future releases) and password_hash() uses $2y$ (previously $2x$), so of course the has will not match e.g.

$2y$10$ss9kwE8iSIqcJOAPhZR0Y.2XdYXJTFJ1/wGq6SUv74vULE7uhKUIO

vs

$2a$10$ss9kwE8iSIqcJOAPhZR0Y.2XdYXJTFJ1/wGq6SUv74vULE7uhKUIO

(see the wikipedia article about more info on the versions)

Currently jBcrypt (0.4) only supports $2a$.

There are 2 possibilities:

1. Replace the version identifier manually before passing it to jBcrypt (hack)

String hash_php = "$2y$10$ss9kwE8iSIqcJOAPhZR0Y.2XdYXJTFJ1/wGq6SUv74vULE7uhKUIO".replaceFirst("$2y$", "$2a$");

2. Using a different implemention supporting custom version identifier

This is the reason I implemented a new library for bcrypt (based on jBcrypt). https://github.com/patrickfav/bcrypt

Just use it like this (it does not verify for version per default, you can use verifyStrict() in that case)

BCrypt.Result result = BCrypt.verifyer().verify(password.toCharArray(), "$2y$10$ss9kwE8iSIqcJOAPhZR0Y.2XdYXJTFJ1/wGq6SUv74vULE7uhKUIO")
if(result.verified) {...}

If you want bcrypt to create $2y$ hashes:

String bcryptHash = BCrypt.with(BCrypt.Version.VERSION_2Y).hashToString(6, password.toCharArray());
// $2y$10$ss9kwE8iSIqcJOAPhZR0Y.2XdYXJTFJ1/wGq6SUv74vULE7uhKUIO

Full Disclaimer: Im the author of bcrypt

Patrick
  • 33,984
  • 10
  • 106
  • 126
0

If you remove the first 7 chars from the hashes ($2y$10$ / $2a$10$) the rest should be the same regardless of the programming language you have used. The first characters of the generated hash is a prefix that tells more about the hash algorithm.

In your example, the $2y$ and $a2$ are defining the algorithm of the hash, and the 10$ is the "cost" of the hash generation (how many times the hash algorithm was repeatedly applied or something like this).

If you want to learn more about the prefixes in the bcrypt generated hashes, read this article.

SaWo
  • 1,515
  • 2
  • 14
  • 32