What algorhythm is used for encrypting user passwords?

pyc4

I'm definitely stuck, anybody care to provide professional help? I'm willing to pay to overcome this hurdle.

PitaJ

@pyc4 share your code please

pyc4

    passwordSHA512 = "b33bcf64f2744712deb66354b1d6a6d0";
    passwordSHA512 = crypto.createHash('sha512').update(passwordSHA512).digest('hex');
    console.log(passwordSHA512); // 455800380a39d8c49b976eb4bc31b98710ceb5beecd88c823c50ca2bdfd7cf1a581d92d9f64df5cfb2f9e50dfc3b2240e119b5ceffc99e584b310838f999aebc
    const match = bcrypt.compareSync(passwordSHA512, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG");
    console.log(match); // false

match should be true, not false.

PitaJ

@pyc4 and you got the password hash+salt directly from the database?

pyc4

@PitaJ No, just got hash, not a salt. How can I get the salt if salt is always random?... Probably I do missing something here...

<baris>

I tested this and Im getting the expected result.

router.get('/test', async (req, res) => {
	const crypto = require('crypto');
	const bcrypt = require('bcryptjs');

	const rounds = 12;
	const mypassword = '123456';
	const shaPassword = crypto.createHash('sha512').update(mypassword).digest('hex');
	const salt = await bcrypt.genSalt(parseInt(rounds, 10));
	const hashedPassword = await bcrypt.hash(shaPassword, salt);
	console.log('hashedPassword', hashedPassword);

	// testing
	const mypasswordtry = '123456'; 
	const shaPasswordtry = crypto.createHash('sha512').update(mypasswordtry).digest('hex');

	res.json({
		'should be true': bcrypt.compareSync(shaPasswordtry, hashedPassword),
		'should be false': bcrypt.compareSync('asdasdasa', hashedPassword),
	});
});

Prints out

{
    "should be true": true,
    "should be false": false
}

PitaJ

@pyc4 salt is included in the password hash and stored in the same string in the database, which is why compare is passed only two things.

pyc4

It worked out with this code:

const shaPassword = crypto.createHash('sha512').update(password).digest('hex');
console.log("true or false: ");
console.log(await bcrypt.compare(shaPassword, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG"));

Compare's second argument is fetched from database and that's it... Honestly I don't really know how it complicated this much for me, there's something that I did wrong, now it's ok. Thanks a lot!

pyc4

@Pitaj @baris Just to be completely clear, bcrypt.compare is this the only possible way for checking password?

I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database. Then I could just search the database for that hash , and if it exist that whatever user that has that password is logged in - I wouldn't have to find user first and load saved hash in database to supply to compare function.

Huh, I'm hope I'm being clear.

julian

@pyc4 said:

I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database.

Only if you use the same salt, but you don't have the salt, so therein lies the problem