How does bycrypt.compare() work when comparing the input password and the hashed password stored in database?
Does it take the hashed password from the database, decrypts it and then compares it with the plaintext password?
OR
Does it hash the plaintext password which is taken as an input and keeps on hashing it as per saltrounds till it matches the stored hashed value in database?
I have tried looking up in the official documentation of bycrypt package by NodeJS here, but there is no detail description about its internal working. It would be very helpful if someone can shed some light on this. Thanks in advance!
Since JHipster use PasswordEncoder i can't as admin see what is my user password. He says he can't login and reset password is not working for him. Is there any way for me to set default password to him. I tried to copy hash of default 'admin' password and set it for him, but i still can't login ?
I tried to set twice same password for me and i got two different hash for same password ? How can JHipster decrypt when there are 2 hashes for same password ?
JHipster uses BCryptPasswordEncoder to hash passwords, it uses BCrypt strong hashing function.
As a result, the password_hash column in Users table contains values that start with $2a$10$ which states the algorithm and its cost followed by the
salt and finally the hash itself.
I currently have a password reset with the following flow:
generate a temporary password
email it to the user
The user then clicks on a link in the email, taking them to a page where they can enter their temporary password along with a new one.
My question is, how can I securely achieve a password reset without making the user have to copy a nasty temporary password?
I have considered sending the password as a query string in the link in the email since HTTPS traffic is encrytped, but I have read that this is still a poor choice due to various reasons.
Any suggestions are welcome, thanks!
(I have purposely left out information about my stack as I am looking for a technology agnostic solution)
I am using bcrypt-nodejs module for password hash . But when want to forget password feature , how to get actual password ? My actuall password already encrypt
by salt and bcrypt-nodejs.
That's one of the major security features of bcrypt is that you can't get the original password after it has been hashed. You can only compare hashed values. So for a "Forgot password" feature, the user will have to set a new password.
I have a system where users can signup by Facebook or by a regular form. If user signup by Facebook, my system generates a random password, just to allow user to log-in without Facebook if he wants. If user signup using regular form, he can type any password he wants. In both ways, password are encoded into a MD5 hash, but without salting. It's is insecure, I know, this is the reason i'm here.
I don't know the best strategy to convert the passwords into secure ones... First i'm thinking to keep the MD5 insecure password, and when user log-in, i can match the password without salt, salt-it, and then update the database. But it doesn't solve my problem, because system will still accept the insecure password. Besides that, user can still log-in using facebook, witch do not allow me to update their password (since he didn't used it).
So, have anybody an idea to minimize the impact instead of just force everyone to update the passwords?
Thanks!
So, I've done the following actions to solve my problem.
Created a column "LastPasswordChange" in users table.
When user changes password, the field is updated with current date, ALSO, an e-mail is sent to user to inform that password was changed, with a link to revert it in case of this is wrong (due to a possible hack).
The e-mail allow user to log in and set a new password without knowing the last used.
When user log-in using the current password, it looks to the LastPasswordChange field, and if it is null, it allow the login without using the salt.
In any way he/she logs in (Facebook or Login/pass), system looks to the LastPasswordChange field, and if it is null, system requires user to change the current password to a different one (not match the old one without salt).
That's it.