On 21 Dec 2012, at 5:12 PM, Pearu Peterson <pearu.peter...@gmail.com> wrote: > Hi, > > I have a password in plain text and I want to check if it matches with the > crypted password in auth_user.password field. > > I have tried comparing auth_user.password with > str(db.auth_user.password.validate(plain_password)[0]) with no success even > when I know that the passwords match exactly. > > The problem seems to boil down to the fact that encryption of the same string > results different encrypted strings. For example, > >>> from gluon.validators import CRYPT, LazyCrypt > >>> crypt = CRYPT() > >>> str(LazyCrypt(crypt, 'mysecret')) > > 'pbkdf2(1000,20,sha512)$a2a2ca127df6bc19$77bb5a3d129e2ce710daaefeefef8356c4c827ff' > >>> str(LazyCrypt(crypt, 'mysecret')) > > 'pbkdf2(1000,20,sha512)$a555a267249876fb$bc18f82b72a3a5ebce617f32d6abaa5c48734ab9' > > What would be the correct way to check if passwords match when they are given > in encrypted form?
You have to compare using the equality test in CRYPT, so compare CRYPT()(plaintext) == store_password (or something like that). You can't compare the resulting strings, because they have different (random) salt, at least by default they do. > > Any hints are appreciated, > Pearu > > > -- > > > --
