Looks like you'll have to store the salt when making the original hash of the password.
With that you can do | salt originalPassword userInputPassword originalHash newHash secretKey | salt:='salt'. originalPassword:='password'. userInputPassword:='12345678'. originalHash:=PBKDF2 derivedKeySHA1Password: originalPassword salt: salt. newHash:=PBKDF2 derivedKeySHA1Password: userInputPassword salt: salt. secretKey:= SecureRandom new nextBytes: 16. ((SHA256 new hmac key: secretKey) digestMessage: originalHash) = ((SHA256 new hmac key: secretKey) digestMessage: newHash). We do the double SHA256 HMAC signing of the hashes because of https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/ You can store the #secretKey and each user should get a new #salt every time they change their password and you shouldn't reuse the salts for other users or password. For PBKDF2 there is probably a max (or recommended) salt length but I don't know it. I also don't know anything about the SecureRandom class but it says it on the tin, so maybe it is. Maybe not though. I don't know how to find out. But I don't know that it matters in this instance as its only used for the SHA256 HMAC internally in the comparison function. Hope this helps. Francis wrote > Hi folks > > I'm playing with the PBKDF2 package of Udo: > http://www.smalltalkhub.com/#!/~UdoSchneider/PBKDF2 > (thanks Udo), but I can't find how to validate a stored hash. > Can you point me in the right direction? > > Thanks > Francis -- View this message in context: http://forum.world.st/Validate-password-with-PBKDF2-tp4952973p4952985.html Sent from the Pharo Smalltalk Users mailing list archive at Nabble.com.