Question around passwords, login and bcrypt field in mongodb

Hi all,

I’m trying to understand how meteor stores the passwords in the mongodb. I read the docs but I couldn’t find an answer to my question.
When I create a new user through my app which is a Telescope app, there is created a new user with bcrypt field which is actually the password. However, I can not generate the same bcrypt hash with any of the bcrypt clients. So I can not match the password outside of the app. However, telescope can log me in with that newly generated user’s account. Telescope uses meteor accounts so it’s appropriate to ask this audience.

Here is an example:
password: paylasio12345
telescope generated a hash like this: $2a$10$4PjF7Wz/9W3hcQy.c8DabuUQnDTD8gL3C9VTSPj5dZP.oBOvGRxGq

When I try in some random bcrypt calculator I can not generate the same hash even though I use the same salt, algorithm version and cost factor.

Here is a screenshot:

Here is my trials with python client (results are also same in npm js bcrypt client which is used in meteor):

import bcrypt
bcrypt.hashpw(‘paylasio12345’, ‘$2a$10$4PjF7Wz/9W3hcQy.c8DabuUQnDTD8gL3C9VTSPj5dZP.oBOvGRxGq’)
‘$2a$10$4PjF7Wz/9W3hcQy.c8DabumHygPYe2kQuvObxUHw0G53SJe9Zf6Si’

As you can see, I can not generate the same hash again for the same password.

Could anybody show me a way to achieve this?

Thanks.

Hey mate,

Just remember when testing that you test just the SHA256 encoded password against the salted version inside the db.

Bcrypt will change the values over time so you need to be aware of how bcrypt actually generates the values and compares them.