[web2py] Re: How to check if plain text password matches with encrypted password in auth_user.password?

2013-04-06 Thread Massimo Di Pierro 
This was explained many times before. You should look into the docstring of 
the CRYPT validator for examples and explanations. The bottom line is that

db.auth_user.password.validate(...) calls a crypt validator which returns 
(lazy_crypt(...), None or  'error')

The lazy_crypt object is not a string but it can be be comparer with a 
string and serialized into a string.

lazy_crypt(...) == 'hashed password'  reads the salt from the right 
hand side in order to perform a comparison.

Massimo


On Friday, 5 April 2013 14:02:39 UTC-5, Orrù wrote:


 suppose password='12345' and db.auth_user.first_name=='Lucas'
 so i find user by first_name,
 row_user=db(db.auth_user.first_name=='Lucas').select().first()
 and 

 row_user.password='pbkdf2(1000,20,sha512)$97448b22487eca1d$dae65c0429430b7ae7bb311fed8e844b6a37ff30'

 db.auth_user.password.validate('12345') == (db(db.auth_user.id==
 row_user.id).select ().first ().password, None) 
 return False
 CRYPT()('12345')==(row_user.password,None)
 also returns false

 where I am going wrong?

 On Friday, December 21, 2012 11:12:26 PM UTC-2, Pearu Peterson wrote:

 Hi,

 I have a password in plain text and I want to check if it matches with 
 the crypted password in auth_user.password field.

 I have tried comparing auth_user.password with 
 str(db.auth_user.password.validate(plain_password)[0]) with no success even 
 when I know that the passwords match exactly.

 The problem seems to boil down to the fact that encryption of the same 
 string results different encrypted strings. For example,
  from gluon.validators import CRYPT, LazyCrypt
  crypt = CRYPT()
  str(LazyCrypt(crypt, 'mysecret'))
 
 'pbkdf2(1000,20,sha512)$a2a2ca127df6bc19$77bb5a3d129e2ce710daaefeefef8356c4c827ff'
  str(LazyCrypt(crypt, 'mysecret'))
 
 'pbkdf2(1000,20,sha512)$a555a267249876fb$bc18f82b72a3a5ebce617f32d6abaa5c48734ab9'

 What would be the correct way to check if passwords match when they are 
 given in encrypted form?

 Any hints are appreciated,
 Pearu



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: How to check if plain text password matches with encrypted password in auth_user.password?

2013-04-06 Thread Vicente Orru 
thank you.


2013/4/6 Massimo Di Pierro massimo.dipie...@gmail.com

 This was explained many times before. You should look into the docstring
 of the CRYPT validator for examples and explanations. The bottom line is
 that

 db.auth_user.password.**validate(...) calls a crypt validator which
 returns (lazy_crypt(...), None or  'error')

 The lazy_crypt object is not a string but it can be be comparer with a
 string and serialized into a string.

 lazy_crypt(...) == 'hashed password'  reads the salt from the right
 hand side in order to perform a comparison.

 Massimo


 On Friday, 5 April 2013 14:02:39 UTC-5, Orrù wrote:


 suppose password='12345' and db.auth_user.first_name=='**Lucas'
 so i find user by first_name,
 row_user=db(db.auth_user.**first_name=='Lucas').select().**first()
 and
 row_user.password='pbkdf2(**1000,20,sha512)$**97448b22487eca1d$**
 dae65c0429430b7ae7bb311fed8e84**4b6a37ff30'

 db.auth_user.password.**validate('12345') == (db(db.auth_user.id==
 row_user.**id http://row_user.id).select ().first ().password, None)
 return False
 CRYPT()('12345')==(row_user.**password,None)
 also returns false

 where I am going wrong?

 On Friday, December 21, 2012 11:12:26 PM UTC-2, Pearu Peterson wrote:

 Hi,

 I have a password in plain text and I want to check if it matches with
 the crypted password in auth_user.password field.

 I have tried comparing auth_user.password with str(db.auth_user.password.
 **validate(plain_password)[0]) with no success even when I know that
 the passwords match exactly.

 The problem seems to boil down to the fact that encryption of the same
 string results different encrypted strings. For example,
  from gluon.validators import CRYPT, LazyCrypt
  crypt = CRYPT()
  str(LazyCrypt(crypt, 'mysecret'))
 'pbkdf2(1000,20,sha512)$**a2a2ca127df6bc19$**
 77bb5a3d129e2ce710daaefeefef83**56c4c827ff'
  str(LazyCrypt(crypt, 'mysecret'))
 'pbkdf2(1000,20,sha512)$**a555a267249876fb$**
 bc18f82b72a3a5ebce617f32d6abaa**5c48734ab9'

 What would be the correct way to check if passwords match when they are
 given in encrypted form?

 Any hints are appreciated,
 Pearu

  --

 ---
 You received this message because you are subscribed to a topic in the
 Google Groups web2py-users group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/web2py/eqbXmseZ6XA/unsubscribe?hl=en.
 To unsubscribe from this group and all its topics, send an email to
 web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Re: How to check if plain text password matches with encrypted password in auth_user.password?

2013-04-05 Thread Orrù 

suppose password='12345' and db.auth_user.first_name=='Lucas'
so i find user by first_name,
row_user=db(db.auth_user.first_name=='Lucas').select().first()
and 
row_user.password='pbkdf2(1000,20,sha512)$97448b22487eca1d$dae65c0429430b7ae7bb311fed8e844b6a37ff30'

db.auth_user.password.validate('12345') == 
(db(db.auth_user.id==row_user.id).select ().first ().password, None) 
return False
CRYPT()('12345')==(row_user.password,None)
also returns false

where I am going wrong?

On Friday, December 21, 2012 11:12:26 PM UTC-2, Pearu Peterson wrote:

 Hi,

 I have a password in plain text and I want to check if it matches with the 
 crypted password in auth_user.password field.

 I have tried comparing auth_user.password with 
 str(db.auth_user.password.validate(plain_password)[0]) with no success even 
 when I know that the passwords match exactly.

 The problem seems to boil down to the fact that encryption of the same 
 string results different encrypted strings. For example,
  from gluon.validators import CRYPT, LazyCrypt
  crypt = CRYPT()
  str(LazyCrypt(crypt, 'mysecret'))
 
 'pbkdf2(1000,20,sha512)$a2a2ca127df6bc19$77bb5a3d129e2ce710daaefeefef8356c4c827ff'
  str(LazyCrypt(crypt, 'mysecret'))
 
 'pbkdf2(1000,20,sha512)$a555a267249876fb$bc18f82b72a3a5ebce617f32d6abaa5c48734ab9'

 What would be the correct way to check if passwords match when they are 
 given in encrypted form?

 Any hints are appreciated,
 Pearu



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.