What algorhythm is used for encrypting user passwords?
-
@pyc4 if you have older user passwords, it's likely those were hashed without the sha step
-
@pyc4 if the salt is different between NodeBB and your app, the resulting hash will of course be different.
The salt is randomly generated for each password, so it can't be shared.
But the salt itself is prepended to the hash, so the real test is whether running .compare() on your app shows that the password matches.
-
OK, just let me be clear on the step really I'm not fully sure it's ok?
-
user-entered password is put through
crypto.createHash('sha512').update(password).digest('hex'); -
then I use that as the first argument for bcrypt.compare() function, and the second argument is password fetched from NodeBB database, and if true is returned entered password is matched against stored password.
Still I don't understand how is it possible to compare if I don't have original salt, but if it could work like how I described it, it's good enough for me.
-
-
@pyc4 share your code please
-
passwordSHA512 = "b33bcf64f2744712deb66354b1d6a6d0"; passwordSHA512 = crypto.createHash('sha512').update(passwordSHA512).digest('hex'); console.log(passwordSHA512); // 455800380a39d8c49b976eb4bc31b98710ceb5beecd88c823c50ca2bdfd7cf1a581d92d9f64df5cfb2f9e50dfc3b2240e119b5ceffc99e584b310838f999aebc const match = bcrypt.compareSync(passwordSHA512, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG"); console.log(match); // falsematch should be true, not false.
-
@pyc4 and you got the password hash+salt directly from the database?
-
I tested this and Im getting the expected result.
router.get('/test', async (req, res) => { const crypto = require('crypto'); const bcrypt = require('bcryptjs'); const rounds = 12; const mypassword = '123456'; const shaPassword = crypto.createHash('sha512').update(mypassword).digest('hex'); const salt = await bcrypt.genSalt(parseInt(rounds, 10)); const hashedPassword = await bcrypt.hash(shaPassword, salt); console.log('hashedPassword', hashedPassword); // testing const mypasswordtry = '123456'; const shaPasswordtry = crypto.createHash('sha512').update(mypasswordtry).digest('hex'); res.json({ 'should be true': bcrypt.compareSync(shaPasswordtry, hashedPassword), 'should be false': bcrypt.compareSync('asdasdasa', hashedPassword), }); });Prints out
{ "should be true": true, "should be false": false } -
@pyc4 salt is included in the password hash and stored in the same string in the database, which is why compare is passed only two things.
-
It worked out with this code:
const shaPassword = crypto.createHash('sha512').update(password).digest('hex'); console.log("true or false: "); console.log(await bcrypt.compare(shaPassword, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG"));Compare's second argument is fetched from database and that's it... Honestly I don't really know how it complicated this much for me, there's something that I did wrong, now it's ok. Thanks a lot!
-
P pyc4 has marked this topic as solved on
-
@Pitaj @baris Just to be completely clear, bcrypt.compare is this the only possible way for checking password?
I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database. Then I could just search the database for that hash , and if it exist that whatever user that has that password is logged in - I wouldn't have to find user first and load saved hash in database to supply to compare function.
Huh, I'm hope I'm being clear.
-
