Check if the password hash generated by PHP matches in Python

environment

PHP 7.1 Python 2.7.6

What you want to check

I'm currently developing in PHP and using password_hash to encrypt passwords. A long time ago, I wondered if encrypted passwords could be used in the same way when migrating to another language (Python in this case) in the future: question: In other words, I want to make sure that the user's password can be verified normally and I can log in even after migrating to Python. To put it a little more microscopically, password_hash uses an encryption algorithm called Blowfish (see below), so I'd like to see if Blowfish can also be used in Python for matching.

Encrypt with PHP

.php

password_hash('password', PASSWORD_DEFAULT);
// $2y$10$BN2hH0B3gnZceNlW1JXiNOUN8NWybLlfqZh6WQ/imah4htM8fktFW

password_hash('password', PASSWORD_BCRYPT);
// $2y$10$CuZkO0N29B1YtHHI9mwvIOCSUitQh4ptyfxYWvHhHoHHP2GZqC5Ga

Commentary

password_hash currently allows you to specify two types of constants: PASSWORD_DEFAULT and PASSWORD_BCRYPT. http://php.net/manual/ja/function.password-hash.php

I checked the contents of the constant (though it's a stub)

/php/lib/php.jar!/stubs/standard/password.php

define("PASSWORD_DEFAULT", 1);
define("PASSWORD_BCRYPT", 1);

** After all, both PASSWORD_DEFAULT and PASSWORD_BCRYPT point to the same value. ** ** In this case, it will be implemented in Bcrypt. Since Bcrypt ≒ Blowfish, the current encryption algorithm for password_hash will always be Blowfish.

• The explanation of Bcrypt was easy to understand here. https://goo.gl/kpS5En

• If you want to use another encryption algorithm, you can use Crypt. http://php.net/manual/ja/function.crypt.php

Check if it can be matched with Python

import bcrypt

password = b'password'
phpHash = '$2y$10$BN2hH0B3gnZceNlW1JXiNOUN8NWybLlfqZh6WQ/imah4htM8fktFW'

if bcrypt.checkpw(password, phpHash):
    print("It Matches!")
else:
    print("It Does not Match :(")

# It Matches!

** Matched successfully: ok_woman_tone1: **

Commentary

--Use the bcrypt module to check if the PHP-encrypted password matches --You need to install a module called bcrypt in advance. - https://pypi.python.org/pypi/bcrypt/3.1.3 -- bcrypt.checkpw corresponds to password_verify in PHP

Bean knowledge (I just didn't know)

The encrypted version (leftmost part) of the value generated using PHP's password_hash is$ 2y $. However, when generated using Python's bcrypt module, it seems that only $ 2a $ and $ 2b $ can be specified as the encrypted version.

salt = bcrypt.gensalt(rounds=10, prefix=b'2a')
password = b'password'
hashed = bcrypt.hashpw(password, salt)

• Prefix part

Isn't this the same password? I thought: rolling_eyes: but it matched as mentioned above. On the contrary, even if the value generated by bcrypt.hashpw is matched with password_verify, it matches successfully. In other words, even if the encrypted versions are different, such as $ 2a $ and $ 2y $, they will be recognized as the same password, so when you move to Python in the future, you will bother to replace $ 2y $ with $ 2y $. No processing such as replacing with $ 2a $ `is required.