How can i compare decrypted password and encrypted password by 'Bcrypt' Gem

Question

I'm trying to use simple authentication for some post's comments.

Users type comment with instant id and password

and i use 'bcrypt' gem to store password in Database.

Like this in comments_controller.rb

@comment = Comment.new(comment_params)
bcrypted_pwd = BCrypt::Password.create(@comment.user_pwd)
@comment.user_pwd = bcrypted_pwd

and i use data-confirm-modal gem to confirm with data when user want to delete their comments

In this part, i have to decrypt user input password to compare with encrypted password in Database

how can i decrypt password and is there any good way to done this?

You should not decrypt password. You should encrypt new password and then check with encrypted password inside database — Nermin, Jun 27 '17 at 10:44
@Nermin No need to encrypt the new password. we can check 2 password without encryption — Vishal, Jun 27 '17 at 10:46
@DongkunLee You have encrypted password and new plain password. and you want to compare it whether it is matching or not . right ? — Vishal, Jun 27 '17 at 10:49
@Nermin yes! i want to try that way, but i don't know how to customize data-confirm-modal gem's modal. I — PrepareFor, Jun 27 '17 at 10:50
@DongkunLee Okay give some time. i am posting answer in few mins — Vishal, Jun 27 '17 at 10:51
@Nermin: No, no, no, no, noooooooo! You should *never* encrypt passwords. Never. NEVER. You should store them hashed (with a specialized password hash) and salted. If you encrypt them, there is a chance that the key is compromised and the passwords become decrypted. — Jörg W Mittag, Jun 27 '17 at 10:52

score 18 · Accepted Answer · answered Jun 27 '17 at 11:06

ency_pass = BCrypt::Password.create("testing")
new_pass = "testing"

Let’s look at how we compare two bcrypt hashes, one coming from the database & one from user input (like a form or something like that).

BCrypt::Password.new(ency_pass) == new_pass
# true
BCrypt::Password.new(ency_pass) == "testing2"
#false

The part on the left (BCrypt::Password.new) is a BCrypt object, which takes the hash stored in the database as a parameter.

The part on the right (new_pass) is just the plain-text password that the user is trying to log in with.

Let's understand this things:

BCrypt uses something called a “salt”, which is a random value used to increase security against pre-computed hashes. The salt is stored in the hash itself. BCrypt defines its own == method, which knows how to extract that “salt” value so that it can take that into account when comparing the passwords.

BCrypt#== takes the “salt” value from the stored hash, then it hashes the plain-text password (the user input) using this salt so that both hashes will be identical if the password is valid.

If you were to look at the source code it would look something like this:

def ==(secret)
 super(
  BCrypt::Engine.hash_secret(secret, @salt)
 )
end

Remember that super will call the same method (in this case ==) on the parent class. The parent class of BCrypt::Password is String.

@DongkunLee Please accept this answer. So it will be easy for other users. — Vishal, Jun 27 '17 at 11:36
It's great that you took the time to explain how the `BCrypt::Password` class works. Making it a subclass of `String` with overridden `==` is pretty convenient, but it also conceals what's going on. In IRB (or rails console) it looks like you were comparing two strings. — Stefan, Jun 27 '17 at 12:51

score -1 · Answer 2 · answered Jun 27 '17 at 10:46

-1

how can i decrypt password and is there any good way to done this?

You can't. You can only decrypt something which is encrypted. Bcrypt is not an encryption algorithm, it is a hash algorithm. You cannot reverse a hash. It is provably impossible. (And the proof isn't even hard, it can be understood by a high schooler.)

answered Jun 27 '17 at 10:46

Jörg W Mittag

363,080
75
446
653

Not sure what are the downvotes about. Probably because of the "high scooler" remark :) – Sergio Tulentsev Jun 27 '17 at 11:19
1

Apparently the OP is using the wrong terminology (confusing "encryption" with "hashing", maybe doesn't even know the difference) and is approaching the problem from the wrong end. But merely stating "you can't do that" isn't that helpful (hence the downvote?) – Stefan Jun 27 '17 at 12:37
@SergioTulentsev: If you have three socks and two drawers, then it doesn't matter how you distribute the three socks among the two drawers, there always be at least one drawer with at least two socks in it. So, when I ask you to get the sock from a drawer, this cannot possibly work in all circumstances, since there will sometimes be two socks in a drawer and you won't know which to get me. *That* is the proof that what the OP is asking for is impossible, and I honestly *do* believe that a high schooler can understand it. It's not an exaggeration. There is no need to be afraid of a "proof". – Jörg W Mittag Jun 27 '17 at 12:45
1

@Stefan: If someone tries to do something which is mathematically proven to be impossible, then "you can't do that, it is mathematically proven to be impossible" is a perfectly valid answer. – Jörg W Mittag Jun 27 '17 at 12:49

How can i compare decrypted password and encrypted password by 'Bcrypt' Gem

2 Answers2

Linked