9

I am working with the bcrypt nodejs module.

I am satisfied with it to encrypt and compare passwords, but it seems impossible to decrypt it.

I am wondering:

  1. How do you encrypt/decrypt passwords with nodejs (which module or method are you using) ?
  2. Is there a trick to decrypt the passwords encoded with the bcrypt module ?

Thanks !

Improve this question

2 Answers 2

Reset to default
23

You don't decrypt passwords with bcrypt -- it's a one-way algorithm. What you do is store the hash of the original (salted) password. Then you hash the (salted) guess. If the hashes match, then the guess is correct.

Fortunately, the node-bcrypt library does all of this for you, so you only need to provide the plaintext guess and the hash (from the database).

For example, you might do this:

// "password"; usually stored in the database in the user's row.
var stored_hash = '$2a$10$vxliJ./aXotlnxS9HaJoXeeASt48.ddU7sHNOpXC/cLhgzJGdASCe'
bcrypt.compare(guess, stored_hash, function(err, res) {

});
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Yes that's what i did but if you want to auth a user using an external API, for example facebook, and return the credentials of this same user to the client side, it could be usefull.
@Ludo Do you need to know their password or do you just need to know their name and whether they could succesfully logged in? This is what axternal login APIs like Facebook connect provide, authentication is made on facebook.com, not on your domain and facebook redirects the user to appopriate path you specified with its hash and then you know that user is authenticated.
@Mustafa I need a password i automatically generate on the server side during the facebook registration to display it on the admin page of the user.
You should not display a password to the user. They should know their password, and in the event that they forget it, offer some mechanism to create a new one (perhaps by emailing a link to reset to their registered email). Openly displaying a users password to them is a horrible idea (no offense). Imagine a situation where someone hijacks a session. If the hijacked users password is displayed to the hijacker, the hijacker now has the actual password, not just session access. For this same reason you should require the password to be entered on changes to sensitive information.
If you auto-generate it, email it to them ONCE, or display it ONCE during sign up. After this you should never need to openly show them their password.
|
2

How to decrypt or reform a Hashed password using bcrypt or bcryptjs?

Answer: If you're asking how to "return" the hashed password back to its original form using Bcrypt or Bcryptjs. that's not possible with Bcrypt or any other secure hashing algorithm.

Why? Bcrypt is a one-way hashing algorithm: This means that once a password is hashed, it cannot be reversed or decrypted back to its original form. The purpose of hashing is to protect the original password so that even if the hash is compromised, the original password remains secure.

So, What Can You Do? Comparing the Password: Instead of trying to reverse the hash, the correct approach is to compare a plain text password with a stored hash using bcrypt.compare().

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.