What algorhythm is used for encrypting user passwords?
-
@pyc4 share your code please
-
passwordSHA512 = "b33bcf64f2744712deb66354b1d6a6d0"; passwordSHA512 = crypto.createHash('sha512').update(passwordSHA512).digest('hex'); console.log(passwordSHA512); // 455800380a39d8c49b976eb4bc31b98710ceb5beecd88c823c50ca2bdfd7cf1a581d92d9f64df5cfb2f9e50dfc3b2240e119b5ceffc99e584b310838f999aebc const match = bcrypt.compareSync(passwordSHA512, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG"); console.log(match); // falsematch should be true, not false.
-
@pyc4 and you got the password hash+salt directly from the database?
-
I tested this and Im getting the expected result.
router.get('/test', async (req, res) => { const crypto = require('crypto'); const bcrypt = require('bcryptjs'); const rounds = 12; const mypassword = '123456'; const shaPassword = crypto.createHash('sha512').update(mypassword).digest('hex'); const salt = await bcrypt.genSalt(parseInt(rounds, 10)); const hashedPassword = await bcrypt.hash(shaPassword, salt); console.log('hashedPassword', hashedPassword); // testing const mypasswordtry = '123456'; const shaPasswordtry = crypto.createHash('sha512').update(mypasswordtry).digest('hex'); res.json({ 'should be true': bcrypt.compareSync(shaPasswordtry, hashedPassword), 'should be false': bcrypt.compareSync('asdasdasa', hashedPassword), }); });Prints out
{ "should be true": true, "should be false": false } -
@pyc4 salt is included in the password hash and stored in the same string in the database, which is why compare is passed only two things.
-
It worked out with this code:
const shaPassword = crypto.createHash('sha512').update(password).digest('hex'); console.log("true or false: "); console.log(await bcrypt.compare(shaPassword, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG"));Compare's second argument is fetched from database and that's it... Honestly I don't really know how it complicated this much for me, there's something that I did wrong, now it's ok. Thanks a lot!
-
P pyc4 has marked this topic as solved on
-
@Pitaj @baris Just to be completely clear, bcrypt.compare is this the only possible way for checking password?
I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database. Then I could just search the database for that hash , and if it exist that whatever user that has that password is logged in - I wouldn't have to find user first and load saved hash in database to supply to compare function.
Huh, I'm hope I'm being clear.
-
