I'm trying to migrate a ruby on rails app to django, and got stuck with the fact that the RoR app is encrypting the user passwords in 2 feilds, crypted_password and password_salt, in addition the persistence_toke, so is there any play around to replace this with just a simple md5 hashed passwords without resetting the passwords of all users?
You need the password in plain text to store it hashed (with MD5 or any other algorithm). That said: You would need to restore the user's password from the current bcrypted version. And to avoid the possibility of a decryption is exactly the reason why bcrypt exists.
Therefore that answer is: No, you cannot do that without your user's help.
Btw MD5 is considered unsecure. You should try hard to get the bcrypt version working with Django.
Related
I have ruby app with mysql database which has password stored.I don't know ruby but from internet what i found is that ruby stores password in bicrypt format.
I created one user with password : Password123.
What i printed in console was its encrypted password.
Tasks:
Now i am creating a django app which needs to be connected to same database.I need to verify password from same database.That is i used bicrypt algorithm in django dummy app and created user with same password : Password123.
But encrypted text from ruby app and django app are different.It needs to be same for verification from django app.
How to do this? Why bicrypt output of both language different.
I am going to assume you mean bcrypt. I don't know what bicrypt is. The 'encrypted' password is probably salted to protect against rainbow attacks, which is why they have different 'encrypted' values.
Why do you need the 'encrypted' password to be the same on both systems? Does using 'Password123' on either system not work?
I am using rails active admin gem and BCrypt Gem. Now I want to decrypt all users password.How can I do this?
Thanks your support!!
You can't, because bcrypt is a password hashing function, not an encryption.
That is the whole point of using bcrypt.
As I can understand from your comments you want to migrate an existing app in PHP to Rails.
You cannot decrypt the password and get the plain text.
So you need to first find out the encryption mechanism used in the PHP app. If you can't find that out from your codebase then you can follow these steps:
Create a user from your PHP app. Set the password as test.
Get the encrypted password from the database.
Go to BCrypt Calculator and check if test matches the encrypted password.
If it matches then your PHP app is using BCrypt and moving over to Rails using BCrypt will be fine.
How does it work, that devise knows salts for encrypted passwords? Where does it store these hashes and how is that safe?
This is one of the main files for creating passwords: Devise::DatabaseAuthenticatable
Salt is not stored in the database, it is a string generated by this C program that is run by the BCrypt::Engine.generate_salt() function __bc_salt:
prefix = "$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW"
__bc_salt(prefix, cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
This can be found here:
BCrypt::Engine
With some other interesting code here: BCrypt::Password
From what I can gather though, the salt itself is the 29 characters that appear after the third $ in the encrypted password. This alone cannot tell you the password though, since you also need to know the pepper which is based on your apps secret key (usually stored in your /config/initializers/secret_token.rb)
Conclusion: In order to decrypt a password, one would have to be using the right version of BCrypt, have obtained the secret token from the app, and have the encrypted password, and I think that at that point, user passwords are probably the least of your security concerns, so I think its pretty safe.
This questions has been answered in this Stack Overflow question already, but it's not Grails-specific and is also kind of vague.
I set my Grails app up with Spring Security, but apparently didn't get the newest version, because it defaulted to SHA-256 instead of bcrypt. Now I have production data with passwords hashed in what seems to be a less-than-ideal method.
It's a piece of cake to enable bcrypt hashing:
Config.groovy > grails.plugins.springsecurity.password.algorithm = 'bcrypt'
but now I need the app to convert the old hashes into new ones. Fundamentally, I understand that when a user logs in, I should have the app check to see if the password is an SHA-256 hash, and if so, re-hash the entered password with bcrypt. After a while, they'll all be upgraded and that code can be removed.
What is the actual code for determining if a password hash is from SHA-256 or bcrypt, though?
EDIT
That is to say, what is the actual function that I call to get a hash? How do I bcrypt(incomingpassword) to see if it matches the existing password hash?
bcrypt passwords will start with "$2a$10$" and be 60 chars long. There is no pattern for SHA-256, but it will be 64 chars long.
I have a postgres database running at heroku. In the database I store passwords using bcrypt. The app is a Ruby on Rails 3 app using custom authorization. The authorization is using the rails method has_secure_password for the passwords.
I have planned to move my app to a VPS instead.
Will all my users passwords still be working after moving the database? I'm asking this because I'm not sure how the passwords are salted. Is the method used to crypt the passwords not tied to the database server in any way?
Source - bcrypt-ruby
"Hash algorithms take a chunk of data (e.g., your user‘s password) and
create a "digital fingerprint," or hash, of it. Because this process
is not reversible, there‘s no way to go from the hash back to the
password."
Assuming your storing a password hash and salt as a string then you will be able to store this in any data store. Take a look in db/schema and you will probably find that you are doing this.