ValueError: Invalid salt about bcrypt HOT 13 CLOSED

Check the database for password field value. i think password value did not hashed in the table. then this error raised when user try to login.

from bcrypt.

Did you check self.password?

from bcrypt.

Yes, the check_password method looks like this and checks for unset/empty passwords on the first line:

    def check_password(self, password):
        if not self.password or not password:
            return False
        return bcrypt.check_password_hash(self.password, password)

from bcrypt.

What is the value of self.password when the error occurs?

from bcrypt.

I'm not sure of the exact value of self.password at the time of the error, but it must have been a Python2 unicode type because it was retrieved via Postgres from a VARCHAR(160) column. It could not have been None or blank as seen in the check_password method above. It would have been a hashed password value for a user (the past output from bcrypt.generate_password_hash(password)).

from bcrypt.

Sorry, mixed libraries...

from bcrypt.

InvalidSalt is what is raised if you supply a password that does not match the given bcrypt hash. Since this is a few months old I'm going to close it but if you're still having an issue feel free to reopen.

from bcrypt.

@reaperhulk why does the exception say invalid salt instead of invalid password? The docs say when supplying a password not matching the given bcrypt hash that bcrypt.check_password_hash should return None not raise an exception.

from bcrypt.

@alanhamlett Are you sure you're looking at the docs for this project? check_password_hash is not a function we provide. checkpw is a function py-bcrypt supplies, but right now bcrypt does not (although there's no reason why it couldn't since checkpw is just calling the same thing hashpw does but returning a different message).

from bcrypt.

Oh sorry that method was from Flask-Bcrypt which wraps this library. Maybe it's a bug in Flask-Bcrypt then.

from bcrypt.

I filed supporting checkpw as #74 so it may be in an upcoming release as well. It is definitely confusing that hashpw can both generate a new password hash and also verify a password against a pre-generated hash (and the failure case will raise InvalidSalt)

from bcrypt.

InvalidSalt is what is raised if you supply a password that does not match the given bcrypt hash. Since this is a few months old I'm going to close it but if you're still having an issue feel free to reopen.

This doesn’t seem to be the case:

>>> h = bcrypt.hashpw(b'password', bcrypt.gensalt(10))
>>> h
'$2b$10$asbns6WWho6TkeROkj6i6ekOCrI6oD0EZBb32n7NrmDFzhDl9E8fy'
>>> bcrypt.hashpw(b'test', h)
'$2b$10$asbns6WWho6TkeROkj6i6eCCbN64Jo282VVeqvo75SxJMtvl6arWi'

Tested with both bcrypt 2.0.0 and 3.0.0.

from bcrypt.

@charmander is entirely correct and my reading was nonsense.

hashpw takes either a salt OR a "hash" (which is the salt concatenated with the derived password hash). When you call hashpw with the hash it grabs the salt and creates a new hash with the given password and it's up to the caller to compare to see if the two hashes are equal. As of this moment (3.0.0 and below) you must do this comparison yourself, but #76 will do it on your behalf.

from bcrypt.