I am using bcrypt-nodejs module for password hash . But when want to forget password feature , how to get actual password ? My actuall password already encrypt
by salt and bcrypt-nodejs.
That's one of the major security features of bcrypt is that you can't get the original password after it has been hashed. You can only compare hashed values. So for a "Forgot password" feature, the user will have to set a new password.
Related
How does bycrypt.compare() work when comparing the input password and the hashed password stored in database?
Does it take the hashed password from the database, decrypts it and then compares it with the plaintext password?
OR
Does it hash the plaintext password which is taken as an input and keeps on hashing it as per saltrounds till it matches the stored hashed value in database?
I have tried looking up in the official documentation of bycrypt package by NodeJS here, but there is no detail description about its internal working. It would be very helpful if someone can shed some light on this. Thanks in advance!
Since JHipster use PasswordEncoder i can't as admin see what is my user password. He says he can't login and reset password is not working for him. Is there any way for me to set default password to him. I tried to copy hash of default 'admin' password and set it for him, but i still can't login ?
I tried to set twice same password for me and i got two different hash for same password ? How can JHipster decrypt when there are 2 hashes for same password ?
JHipster uses BCryptPasswordEncoder to hash passwords, it uses BCrypt strong hashing function.
As a result, the password_hash column in Users table contains values that start with $2a$10$ which states the algorithm and its cost followed by the
salt and finally the hash itself.
I need the following methods for login module and reset-password module.
a) Salted MD5 technique in "authentication or login module‟
b) MD5 hash technique in "reset password‟ modules.
and how it should work, I write the description below.
When a client requests for the login page, the server should generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated.
Any reference any link which does the same.
Since you are using HTTPS, you don't need to go through all the trouble of hashing + salting your password on the client side - you have HTTPS to handle the confidentiality of the password in transit between the client/server for you.
Simply send the password to the server. The server will be responsible for hashing + salting the password, and matching that value against what it has stored in the database.
For Salting + Hashing server side, I would recommend BCrypt:
http://en.wikipedia.org/wiki/Bcrypt
You use it to generate a unique salt for each password stored. Also the hash algorithm itself is much slower than SHA1/MD5 (SHA1/MD5 are made for speed - not a useful property when storing passwords).
Given that you really have to perform your password hashing on the client side, how can you implement server-side salting?
The first solution that I can think of is to ask for the user's salt from the server's users table before you perform the hash. But that means you're confirming that the user "exists" since you give him the valid salt of the user.
I've also thought that instead of storing the salt in the user's table, you can make the salt something that is available to the user, for example, a variation of his username. But consistency problems might arise because the server and the client needs to remember how exactly the salt is gotten from the provided user data.
What is the best way to do this?
I'm no expert with regards to the topic but how about using something like a one-time salt along with the solutions you mentioned.
Meaning, you provide the client a salting function that generates a salt based on a random seed for a short time frame. The seed itself is dynamic and changes after some time and must be the same between the server and client. After all, the salt need not be secret.
On the client side generate the salt using the username (or whatever user data is available) assuming it is unique. Then you generate the hash on the concatenated password and salt and send it on the server.
On the server side, you calculate the salt using the same salting function in the client with the username as the input. You then generate the hash just the same and determine if the two values match. You just have to make sure the time window is wide enough to allow successful authentication.
Hashing client-side is useful if you don't have HTTPS for logins, but it can have some disadvantages such as revealing your hashing and/or salting methods. That being said, if they have access to your password hash database, they probably already have access to that information.
In order to do only a server side salt, you will need to rehash the password using the salt and password hash. In this scenario you would store only the username, salt (if not using a username and password hash salt) and second hash.
If as from your example you wish to perform the salting on both client and server, I would suggest using a combination of username and the initial password hash to salt. The salt won't be unknown by the client as anyone could check your salting method and even apply it to a password cracker, but it will avoid them using a rainbow table to crack same password users.
Don't use the username by itself as a salt. If its a common username (eg. admin), then there is probably a table out there already with this salt.
The problem with using nyde1319's answer (sorry didn't have rights to comment on the answer) is that you will need to have an unencrypted version of the password in your database to perform the password+salt hash. Defeating the purpose of the hash. If it was done using a hashed version of the password, you'd have to store the first hash and they could just crack that hash, defeating the purpose of the salt.
How can I edit the user password in mongoose-auth? I can edit all the others parameters but this no.
Any idea?
I solved this saving salt and hash with bcrypt.