Check Moodle's hashed password

3
votes

Moodle saves hashed passwords in the user table in this the format:

If the stored password is:

$2y$10$UB6vKrpw227eqVXj2PiPou9c0eRtxsdU02fo9.wc3VtsA2FI.gS6a
then:
$2y$ = the id of the hashing algorithm used (crypt_blowfish), enclosed in dollar signs.
10$ = the cost of using that algorithm (two digits) followed by a dollar sign.
UB6vKrpw227eqVXj2PiPou = randomly generated secure salt (22 characters).
9c0eRtxsdU02fo9.wc3VtsA2FI.gS6a = the hash (31 characters).

I have the plain password in text. I can't figure out how to check it with Python.

1
pythonhashcryptographymoodle

1 Answers

2
votes

It is simply done using bcrypt:

pip install bcrypt

Then it is just a matter of calling the checkpw() function:

import bcrypt

hashed = b'$2y$10$UB6vKrpw227eqVXj2PiPou9c0eRtxsdU02fo9.wc3VtsA2FI.gS6a'

password = input('Enter password:').encode()
if bcrypt.checkpw(password, hashed):
    print('Correct password entered!')
else:
    print('Password is wrong!')

Note that bcrypt is working with bytes and not strings, which is why the user input must be run through .encode().