BCryptVerify()
Verifies a password against a BCrypt hash. Use this instead of the deprecated VerifyBCryptHash().
Requires Extension: Crypto Extension
BCryptVerify( input=string, hash=string, throwOnError=boolean );
Returns: Boolean
| Argument | Description | Default |
|---|---|---|
|
input
string,
required
|
edit
Password to verify |
|
|
hash
string,
required
|
edit
BCrypt hash to check against |
|
|
throwOnError
boolean,
optional
|
edit
If true, throws an exception on invalid hash format instead of returning false |
false |
Usage Notes
editThe cost factor is encoded in the hash, so you don't need to specify it when verifying. This means you can increase the cost over time and existing hashes will still verify correctly.
By default, invalid or malformed hashes return false. Pass throwOnError=true if you want an exception instead.
Replaces the deprecated VerifyBCryptHash().
Examples
edit// Hash a password at registration time
hash = BCryptHash( "user-password" );
// Store 'hash' in your database
// At login, verify the password against the stored hash
isValid = BCryptVerify( "user-password", hash ); // true
isWrong = BCryptVerify( "wrong-password", hash ); // false
// Invalid hashes return false by default (no exception thrown)
result = BCryptVerify( "password", "not-a-valid-hash" ); // false
// Pass throwOnError=true to get an exception on invalid hashes instead
try {
BCryptVerify( "password", "not-a-valid-hash", true );
} catch ( e ) {
// handle the error
}
See also
- Cryptography
- BCryptHash()
- GenerateBCryptHash()
- VerifyBCryptHash()
- Search Issue Tracker open_in_new
- Search Lucee Test Cases open_in_new (good for further, detailed examples)