py-bcrypt giving different hash results than flask-bcrypt - possible?

Question

I am generating a hash in a python app using the flask-bcrypt package on top of flask-security. For a password of test12 i got a result of '$2a$12$ibinoz7sTc76Vh09shUhruYD8CrJyUxPpu1m.kb6LmFmzvWBbb52a'

(used a randomly generated salt, per bcrypt docs)

but when I do the following in python terminal:

import py-bcrypt
print bcrypt.hashpw("test12", '$2a$12$ibinoz7sTc76Vh09shUhruYD8CrJyUxPpu1m.kb6LmFmzvWBbb52a')

I get: $2a$12$ibinoz7sTc76Vh09shUhru1wllZi3KqQEluhhInj5FAghM4uczmxe

when I think I should be getting back the original as a match. I also checked with .checkpw and it returns False.

What am I doing wrong? Can they possibly yield different results? My app authenticates just fine.

UPDATE: when I manually call (in the Flask app) print check_password_hash('$2a$12$ibinoz7sTc76Vh09shUhruYD8CrJyUxPpu1m.kb6LmFmzvWBbb52a', 'test12') I also get False. very strange, indeed ,considering 'test12' works to login. If I generate a new password hash in the app, and check it using the above it passes.

UPDATE 2: I have learned that flask-security uses HMAC, as well as the chosen password hashing backend (bcrypt, in my case) and I suspect that this my be cause of inconsistency. Assuming that is true, the question becomes, how does one verify a password hash that has both HMAC and bcrypt applied. My app is configured to provide a secret key as a HMAC salt (sha512) so I tried:

result = hmac.new('...my apps secretkey...', 'test12', hashlib.sha512).hexdigest()
print bcrypt.checkpw(result, '$2a$12$ibinoz7sTc76Vh09shUhruYD8CrJyUxPpu1m.kb6LmFmzvWBbb52a')

But that isn't working either.

Answer 1

If you want to generate the same hash, you need both the same password and the same salt.