2

Is it possible to decrypt previously hashed passwords using:

Bcrypt - $2b$12$

while using:

from werkzeug.security import generate_password_hash, check_password_hash

I am kind of assuming that if I can specify which hashing algorithm werkzeug.security should use to check the password, then it would work even though they are different tools.

Perhaps I am being naive.

I encrypted the passwords like so:

application = Flask(__name__)
bc = Bcrypt(application)
password=bc.generate_password_hash(data['password_input'])

But would like to decrypt like so:

application = Flask(__name__)
from werkzeug.security import generate_password_hash, check_password_hash
if check_password_hash(user.password, password):
    pass

Sample (dummy) hash:

$2b$12$98WSJfIg.YkR/Bn469IX4OlOCJx.HMWKxR8NysSynGa8QHf/4rawq

I would use the Bcrypt library but I haven't been able to get it to work with Elastic Beanstalk, due to http://stackoverflow.com/questions/41854768/flask-bcrypt-attributeerror-module-object-has-no-attribute-ffi-deployed.

davidism
  • 121,510
  • 29
  • 395
  • 339
archienorman
  • 1,434
  • 3
  • 20
  • 36
  • 3
    No you can't. That's kind of the whole point. You should just encrypt the incoming password and compare the hash to the hash you have. – Suever Jan 25 '17 at 16:47

1 Answers1

5

No you can't do this. That is the whole point of using Bcrypt to encrypt the password in the first place. If you were able to recover a password from a hash, then any breach of your database would result in users' credentials being accessible and a hash would be no better than storing a password in clear text. See more about password hashing here.

All that you can do is take in a new password attempt, hash it, and compare the hash to your known hash. check_password_hash is incapable of dealing with Bcrypt hashes so you will need to use bcrypt.hashpw to do this

import bcrypt
isSamePassword = bcrypt.hashpw(new_password, stored_hash)
Suever
  • 64,497
  • 14
  • 82
  • 101
  • sorry perhaps i wasn't clear in my question by saying 'decrypt' what i was asking is what you have suggested though. That is, I want to take in a clear text password, hash it, compare the hash with the my previously stored hash. – archienorman Jan 25 '17 at 17:12
  • but in order to get the same hash, I assume I have to make sure the bcrypt hashing algorithm is the same as the hash i create using `werkzeug.security`. Realise this isn't an ideal situation, but forced into it as Bcrypt is not working with AWS Beanstalk. – archienorman Jan 25 '17 at 17:13
  • @user3939059 Yes it is required that the hashing function used to create the hash and to check the hash have to be identical. There is no alternative. Why is it not working with Beanstalk? – Suever Jan 25 '17 at 17:21
  • OK thanks. Beanstalk issue: `AttributeError: 'module' object has no attribute 'ffi'` - link here: http://stackoverflow.com/questions/41854768/flask-bcrypt-attributeerror-module-object-has-no-attribute-ffi-deployed – archienorman Jan 25 '17 at 17:31
  • @user3939059 Ok then that other question is where that particular issue should be addressed rather than within this one. It should definitely work and is the only way to compare passwords as I said in this answer. As I've said here, there is no possible way to get the password from the hash values so I would consider this question answered. – Suever Jan 25 '17 at 17:57