nodejs - how to compare two hashes password of bcrypt

Question

Hello I need some help with this issue after I search the solution and I have not found yet,

I want to compare 2 hash password with bcrypt of the same password, how do I do it?

for example:

I have these 2 hash password that came from the same password in bcrypt:

var password = E@Js#07Do=U$
var hash1 = $2a$10$fKAyjaG0pCkisZfRpKsBxursD6QigXQpm1TaPBDZ4KhIZRguYPKHe
var hash2 = $2a$10$mgApOcRIp7RSK3lRIIlQ5e/GjVFbxAFytGAEc0Bo17..r8v2pPR22
// that's not working for me
bcrypt.compare(passwordHash, userPasswordLoginHash, function(err, isMatch) {
   if (err) throw err;
   if(isMatch){
      console.log('correct password!')
   }
   callback(null, isMatch);
});

how can i compare them, to determine that they came from the same password, by using bcryptjs npm package?

Answer 1

This is impossible by design - as a core security property of true password hashing.

If you could compare two password hashes without knowing the original password, then if an attacker cracked one password on the system, they would instantly know the passwords of all users who are using that password, without any additional work. It should be immediately obvious why this would be a bad thing.

For example, if passwords were stored using a hash inappropriate for password storage (such as MD5), then if 50 users had a password of 'password', then all of their hashed passwords would have the identical MD5 hash ('5f4dcc3b5aa765d61d8327deb882cf99'), and cracking one of them would reveal the password of all 50 users.

You can't do that with a modern password hash like bcrypt. The only way to "compare" two modern password hashes is to know the plaintext in advance, and then apply the algorithm using the salt in each hash. And even if two users have the same password, the attacker has to perform the same expensive computation to crack each of them independently, because the unique salts make each hash unique.

More generally - and this may sound a bit bold - but there is no legitimate use case for any system or administrator to ever compare two different users' passwords. User passwords should be 100% independent and 100% opaque to the system once stored. If a system or business case requires this kind of comparison, it should be redesigned to eliminate that requirement.

Answer 2

For a bit extra security you can encrypt the password in the front-end and decrypt and compare in the back-end

Answer 3

"With bcrypt lib you compare plain text password to the one hashed using the same lib."

The problem is with a micro services architecture, that is very insecure. If I have a front end passing an unhashed password to the backend, the unhashed password is getting logged (possibly in multiple places) before it gets compared against the hash in the DB on the system backend.

Answer 4

With bcrypt lib you compare plain text password to the one hashed using the same lib.

Say you hashed a password

const myPlaintextPassword = 'E@Js#07Do=U$'
bcrypt.hash(myPlaintextPassword, saltRounds, function(err, hash) {
  // Store hash in your password DB.
  // example output, taking your hash
  // hash = $2a$10$fKAyjaG0pCkisZfRpKsBxursD6QigXQpm1TaPBDZ4KhIZRguYPKHe
});

You compare like:

// db query, get hashed password, found hash
// hash = $2a$10$fKAyjaG0pCkisZfRpKsBxursD6QigXQpm1TaPBDZ4KhIZRguYPKHe
// User input again:
const myPlaintextPassword = 'E@Js#07Do=U$'
bcrypt.compare(myPlaintextPassword, hash, function(err, res) {
  // res is true as the original password is the same
  // res == true
});