Hey

I'm moving from whirlpool to bcrypt and really can't understand it. can someone give me an example of how you'd verify a password is the same as what is held in the sql db? i can register fine and it saves the password correctly, i'm just struggling to actually check it.

thanks

The whole point of a hashing algorithm is to take an input, manipulate the data and output a unique representation of the original input (=hash) that cannot be reverted to its original input. If a user now inputs a password, you need to hash it and compare the hash of the user's input against the hash persisted in your database. If both hashes are equal the user has entered the correct password.

If you're looking into hashing passwords or any kind of sensitive data, you might also want to look into salting.


Hope this helps!

(2021-01-30, 07:19 PM)Manyula Wrote: The whole point of a hashing algorithm is to take an input, manipulate the data and output a unique representation of the original input (=hash) that cannot be reverted to its original input. If a user now inputs a password, you need to hash it and compare the hash of the user's input against the hash persisted in your database. If both hashes are equal the user has entered the correct password.

If you're looking into hashing passwords or any kind of sensitive data, you might also want to look into salting.


Hope this helps!

Yeah, I've been doing that but I'm getting this in the console

Quote:[SampBcrypt] [error]: LoginVerification => InvalidHash("")

I haven't really done anything with the bcrypt plugin, so for me that error is nothing to really go on. Mind sharing your code?

Post your code!

I have a feeling this is entirely wrong but I was just guessing at this point, was hoping for a guide on how to properly use this. nohate lol

(2021-02-01, 08:30 PM)Behemoth Wrote:

Code:

mysql_format(dbConnection, query, sizeof(query), "SELECT acc_pass FROM accounts WHERE acc_user = '%e'", ReturnName(playerid));
mysql_tquery(dbConnection, query);

cache_get_value_name(0, "acc_pass", password, 256);

bcrypt_hash(0, "LoginVerification", password, 12);

Code:

forward LoginVerification(playerid);
public LoginVerification(playerid) {
new
hash[256], check[256];

bcrypt_get_hash(hash);

bcrypt_verify(playerid, "HashCheck", hash, check);
return 1;
}

forward HashCheck(playerid, bool:success);
public HashCheck(playerid, bool:success) {
if(success) {
return SendClientMessage(playerid, COLOR_LIGHTRED, "IT WORKS CUNT");
}
return 1;

I have a feeling this is entirely wrong but I was just guessing at this point, was hoping for a guide on how to properly use this. nohate lol

I believe you do not need to pass the hashed version of the password into bcrypt_verify, instead you pass the stored hash and the plaintext input.
So when logging in, you can skip the entire process with "LoginVerification" and just instantly jump to bcrypt_verify with HashCheck.

See attached code from my gamemode:



pBcrypt is where I store the hash that has been loaded from the player files. Under OnPasswordVerify I set the player as logged in if success == true.

(2021-02-02, 04:11 PM)Jarnokai Wrote: See attached code from my gamemode:

Code:

if (strlen(pBcrypt[playerid]))
{
bcrypt_verify(playerid,"OnPasswordVerify",inputtext,pBcrypt[playerid]);
}

pBcrypt is where I store the hash that has been loaded from the player files. Under OnPasswordVerify I set the player as logged in if success == true.

I've tried doing so, unfortunately still getting "[SampBcrypt] [error]: LoginVerification => InvalidHash("")"

(2021-02-02, 11:41 PM)Behemoth Wrote: I've tried doing so, unfortunately still getting "[SampBcrypt] [error]: LoginVerification => InvalidHash("")"

(2021-02-02, 04:09 PM)Jarnokai Wrote: when logging in, you can skip the entire process with "LoginVerification" and just instantly jump to bcrypt_verify with HashCheck.

Of course it is invalid.

(2021-01-30, 07:19 PM)Manyula Wrote: The whole point of a hashing algorithm is to take an input, manipulate the data and output a unique representation of the original input (=hash) that cannot be reverted to its original input. If a user now inputs a password, you need to hash it and compare the hash of the user's input against the hash persisted in your database. If both hashes are equal the user has entered the correct password.

If you're looking into hashing passwords or any kind of sensitive data, you might also want to look into salting.


Hope this helps!

That is actually not how bcrypt works, unlike SHA256 and MD5 where you have to hash the actual input so that you can compare passwords.

I'll be explaining how to hash/check passwords

When you show the register dialog for a player. You check if the input is long/short etc. Then you use bcrypt_hash function and pass the playerid argument then you do create a variabe where you will store the hash using bcrpt_get_hash function (Call the variable whatever you want and make sure the variable's size is "BCRYPT_HASH_LENGTH") then you insert it into the database

So if you want to log the player in, If using MySQL plugin, as I stated above, you are doing it wrong because the password is invalid, you should use cache_get_value_name or cache_get_field_content depends on your MySQL plugin version to get the password's value and store it in the player Password variable. Then in the login dialog you use bcyrpt_check function and pass playerid as an argument , then in the callback you specified you create a boolean variable that has the value "bcrypt_is_equal" then check if the variable is true or false, and that's it

Hopefully that helps. If you didn't understand yet. I can share a code example