do not fail on malformed passwords

process/epasswd.py

@@ -69,7 +69,12 @@ class EPasswd:
     def check(self, id, passwd):
         pw = self.get_passwd(id)
         if pw[0:4]=='$2a$' or pw[0:4]=='$2y$':
-            return bcrypt.checkpw(passwd.encode('utf8'), pw.encode('utf8'))
+            try:
+                h1 = pw.encode('utf8')
+                h2 = passwd.encode('utf8')
+                return bcrypt.checkpw(h1, h2)
+            except:
+                return False
         return pw == passwd
 
     def get_passwd(self, id):