chrisvoo · October 6, 2016 04:12
diff --git a/bcrypt.txt b/bcrypt.txt
 /* $2$(2 chars work)$(22 chars salt)(31 chars hash)
 * 2 - the original BCrypt, which has been deprecated because of a security issue a long time before BCrypt became popular.
 * 2a - the official BCrypt algorithm and a insecure implementation in crypt_blowfish
 * 2x - suggested for hashes created by the insecure algorithm for compatibility
 * 2y - suggested new marker for the fixed crypt_blowfish 
 *
 * So 2a hashes created by the original algorithm or the java port are fine, and identical to 2y-hashes created by 
 * crypt_blowfish. But 2a hashes created by crypt_blowfish are insecure. */


 // Java Spring Security 4+
 // http://stackoverflow.com/questions/29740597/is-spring-securitys-bcrypt-implementation-vulnerable
 // not interoperable with PHP $2y, just replace it
 String password = "plaintextPassword";
 PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
 String hashedPassword = passwordEncoder.encode(password);
 System.out.println(hashedPassword);

 // PHP 5.5+
 // http://php.net/password_hash
 // http://php.net/password_verify
 $hash = password_hash("plaintextPassword", PASSWORD_BCRYPT, array("cost" => 11));
 echo $hash;
 if(password_verify("plaintextPassword", $hash))
   echo "password ok";
 else
   echo "password FAIL";
   
 -- PostgreSQL 8.4+
 -- http://www.postgresql.org/docs/9.4/static/pgcrypto.html
 CREATE EXTENSION pgcrypto;
 SELECT crypt('plaintextPassword', gen_salt('bf', 11));
 -- $2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS
 SELECT crypt('plaintextPassword', '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS') = '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS'


 # Python
 # pip install bcrypt 
 # https://code.google.com/p/py-bcrypt/
 # https://pypi.python.org/pypi/bcrypt
 import bcrypt

 # gensalt's log_rounds parameter determines the complexity.
 # The work factor is 2**log_rounds, and the default is 12
 hashed = bcrypt.hashpw(password, bcrypt.gensalt(10));

 # Check that an unencrypted password matches one that has
 # previously been hashed
 if bcrypt.hashpw(password, hashed) == hashed:
        print "It matches"
 else:
        print "It does not match"
	/* $2$(2 chars work)$(22 chars salt)(31 chars hash)
	* 2 - the original BCrypt, which has been deprecated because of a security issue a long time before BCrypt became popular.
	* 2a - the official BCrypt algorithm and a insecure implementation in crypt_blowfish
	* 2x - suggested for hashes created by the insecure algorithm for compatibility
	* 2y - suggested new marker for the fixed crypt_blowfish
	*
	* So 2a hashes created by the original algorithm or the java port are fine, and identical to 2y-hashes created by
	* crypt_blowfish. But 2a hashes created by crypt_blowfish are insecure. */


	// Java Spring Security 4+
	// http://stackoverflow.com/questions/29740597/is-spring-securitys-bcrypt-implementation-vulnerable
	// not interoperable with PHP $2y, just replace it
	String password = "plaintextPassword";
	PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
	String hashedPassword = passwordEncoder.encode(password);
	System.out.println(hashedPassword);

	// PHP 5.5+
	// http://php.net/password_hash
	// http://php.net/password_verify
	$hash = password_hash("plaintextPassword", PASSWORD_BCRYPT, array("cost" => 11));
	echo $hash;
	if(password_verify("plaintextPassword", $hash))
	echo "password ok";
	else
	echo "password FAIL";

	-- PostgreSQL 8.4+
	-- http://www.postgresql.org/docs/9.4/static/pgcrypto.html
	CREATE EXTENSION pgcrypto;
	SELECT crypt('plaintextPassword', gen_salt('bf', 11));
	-- $2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS
	SELECT crypt('plaintextPassword', '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS') = '$2a$10$d6xTF88NYNb8solSKuv8NuFeIFkSNTjz4AVtctw3Z8WCSvpCuTtlS'


	# Python
	# pip install bcrypt
	# https://code.google.com/p/py-bcrypt/
	# https://pypi.python.org/pypi/bcrypt
	import bcrypt

	# gensalt's log_rounds parameter determines the complexity.
	# The work factor is 2**log_rounds, and the default is 12
	hashed = bcrypt.hashpw(password, bcrypt.gensalt(10));

	# Check that an unencrypted password matches one that has
	# previously been hashed
	if bcrypt.hashpw(password, hashed) == hashed:
	print "It matches"
	else:
	print "It does not match"