Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to decrypt hash stored by bcrypt

Tags:

bcrypt

perl

I have this script that encrypts a password but I don't know how to reverse it and decrypt it. This may be a very simple answer but I don't understand how to do it.

#!/usr/bin/perl use Crypt::Eksblowfish::Bcrypt; use Crypt::Random;  $password = 'bigtest'; $encrypted = encrypt_password($password); print "$password is encrypted as $encrypted\n";  print "Yes the password is $password\n" if check_password($password, $encrypted); print "No the password is not smalltest\n" if !check_password('smalltest', $encrypted);  # Encrypt a password  sub encrypt_password {     my $password = shift;      # Generate a salt if one is not passed     my $salt = shift || salt();       # Set the cost to 8 and append a NUL     my $settings = '$2a$08$'.$salt;      # Encrypt it     return Crypt::Eksblowfish::Bcrypt::bcrypt($password, $settings); }  # Check if the passwords match sub check_password {     my ($plain_password, $hashed_password) = @_;      # Regex to extract the salt     if ($hashed_password =~ m!^\$2a\$\d{2}\$([A-Za-z0-9+\\.]{22})!) {         return encrypt_password($plain_password, $1) eq $hashed_password;     } else {         return 0;     } }  # Return a random salt sub salt {     return Crypt::Eksblowfish::Bcrypt::en_base64(Crypt::Random::makerandom_octet(Length=>16)); } 
like image 302
BluGeni Avatar asked Aug 06 '13 15:08

BluGeni


People also ask

Can you decrypt a bcrypt hash?

You can't "decrypt" a hash, because it's not encrypted. Hashes are like hamburger.

Can you reverse bcrypt?

You can't decrypt the hash, because - as you said - hash functions can't be reversed. You should still change your passwords.

How do I decrypt bcrypt password in react?

You don't decrypt passwords with bcrypt -- it's a one-way algorithm. What you do is store the hash of the original (salted) password. Then you hash the (salted) guess. If the hashes match, then the guess is correct.

Is bcrypt a hash or encryption?

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999.


2 Answers

You're HASHING, not ENCRYPTING!

What's the difference?

The difference is that hashing is a one way function, where encryption is a two-way function.

So, how do you ascertain that the password is right?

Therefore, when a user submits a password, you don't decrypt your stored hash, instead you perform the same bcrypt operation on the user input and compare the hashes. If they're identical, you accept the authentication.

Should you hash or encrypt passwords?

What you're doing now -- hashing the passwords -- is correct. If you were to simply encrypt passwords, a breach of security of your application could allow a malicious user to trivially learn all user passwords. If you hash (or better, salt and hash) passwords, the user needs to crack passwords (which is computationally expensive on bcrypt) to gain that knowledge.

As your users probably use their passwords in more than one place, this will help to protect them.

like image 82
Glitch Desire Avatar answered Sep 20 '22 14:09

Glitch Desire


To answer the original posters question.... to 'decrypt' the password, you have to do what a password cracker would do.

In other words, you'd run a program to read from a large list of potential passwords (a password dictionary) and you'd hash each one using bcrypt and the salt and complexity from the password you're trying to decipher. If you're lucky you'll find a match, but if the password is a strong one then you likely won't find a match.

Bcrypt has the added security characteristic of being a slow hash. If your password had been hashed with md5 (terrible choice) then you'd be able to check billions of passwords per second, but since it's hashed using bcrypt you will be able to check far fewer per second.

The fact that bcrypt is slow to hash and salted is what makes it a good choice for password storage even today. That being said I believe NIST recommends the PBKDF2 for password hashing.

like image 37
stackhouse Avatar answered Sep 16 '22 14:09

stackhouse