Solved What algorhythm is used for encrypting user passwords?


  • I'm definitely stuck, anybody care to provide professional help? I'm willing to pay to overcome this hurdle.

  • Global Moderator Plugin & Theme Dev

    @pyc4 share your code please


  • @PitaJ

        passwordSHA512 = "b33bcf64f2744712deb66354b1d6a6d0";
        passwordSHA512 = crypto.createHash('sha512').update(passwordSHA512).digest('hex');
        console.log(passwordSHA512); // 455800380a39d8c49b976eb4bc31b98710ceb5beecd88c823c50ca2bdfd7cf1a581d92d9f64df5cfb2f9e50dfc3b2240e119b5ceffc99e584b310838f999aebc
        const match = bcrypt.compareSync(passwordSHA512, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG");
        console.log(match); // false
    

    match should be true, not false.

  • Global Moderator Plugin & Theme Dev

    @pyc4 and you got the password hash+salt directly from the database?


  • @PitaJ No, just got hash, not a salt. How can I get the salt if salt is always random?... Probably I do missing something here...

  • NodeBB Admin

    I tested this and Im getting the expected result.

    router.get('/test', async (req, res) => {
    	const crypto = require('crypto');
    	const bcrypt = require('bcryptjs');
    
    	const rounds = 12;
    	const mypassword = '123456';
    	const shaPassword = crypto.createHash('sha512').update(mypassword).digest('hex');
    	const salt = await bcrypt.genSalt(parseInt(rounds, 10));
    	const hashedPassword = await bcrypt.hash(shaPassword, salt);
    	console.log('hashedPassword', hashedPassword);
    
    	// testing
    	const mypasswordtry = '123456'; 
    	const shaPasswordtry = crypto.createHash('sha512').update(mypasswordtry).digest('hex');
    
    	res.json({
    		'should be true': bcrypt.compareSync(shaPasswordtry, hashedPassword),
    		'should be false': bcrypt.compareSync('asdasdasa', hashedPassword),
    	});
    });
    

    Prints out

    {
        "should be true": true,
        "should be false": false
    }
    
  • Global Moderator Plugin & Theme Dev

    @pyc4 salt is included in the password hash and stored in the same string in the database, which is why compare is passed only two things.


  • It worked out with this code:

    const shaPassword = crypto.createHash('sha512').update(password).digest('hex');
    console.log("true or false: ");
    console.log(await bcrypt.compare(shaPassword, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG"));
    

    Compare's second argument is fetched from database and that's it... Honestly I don't really know how it complicated this much for me, there's something that I did wrong, now it's ok. Thanks a lot!

  • Topic has been marked as solved  P pyc4 

  • @Pitaj @baris Just to be completely clear, bcrypt.compare is this the only possible way for checking password?

    I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database. Then I could just search the database for that hash , and if it exist that whatever user that has that password is logged in - I wouldn't have to find user first and load saved hash in database to supply to compare function.

    Huh, I'm hope I'm being clear. 🙂

  • GNU/Linux Admin

    @pyc4 said:

    I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database.

    Only if you use the same salt, but you don't have the salt, so therein lies the problem 😄


Suggested Topics

  • 6
  • 1
  • 2
  • 3
  • 1
| | |

© 2014 – 2022 NodeBB, Inc. — Made in Canada.