Skip to content

Instantly share code, notes, and snippets.

@amelieykw

amelieykw/How to decrypt hash stored by bcrypt?.md

Created July 27, 2018 14:38
Show Gist options
  • Save amelieykw/0099a9492bfe96d224ce416b9dc147da to your computer and use it in GitHub Desktop.
Save amelieykw/0099a9492bfe96d224ce416b9dc147da to your computer and use it in GitHub Desktop.
Download ZIP
[Python - decrypt hash stored by bcrypt] #Python #Bcrypt #decrypt
Raw
How to decrypt hash stored by bcrypt?.md

You're HASHING, not ENCRYPTING!

What's the difference?

The difference is that hashing is a one way function, where encryption is a two-way function.

So, how do you ascertain that the password is right?

Therefore, when a user submits a password, you don't decrypt your stored hash, instead you perform the same bcrypt operation on the user input and compare the hashes. If they're identical, you accept the authentication.

Should you hash or encrypt passwords?

What you're doing now -- hashing the passwords -- is correct. If you were to simply encrypt passwords, a breach of security of your application could allow a malicious user to trivially learn all user passwords. If you hash (or better, salt and hash) passwords, the user needs to crack passwords (which is computationally expensive on bcrypt) to gain that knowledge.

As your users probably use their passwords in more than one place, this will help to protect them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment