CODEWITHSUNDEEP
node.jsmongodbexpressmongoosedom-events
Dar Hamid
Dar Hamid

Reputation: 1979

How to Decrypt an encrypted Password in Node.js

I want to create a change password page for user. I encrypt the password when I save the user in Database (mongodb).

User.virtual('password')
    .set(function(password) {
      this._password = password;
      this.salt = this.makeSalt();
      this.hashed_password = this.encryptPassword(password);
    })
    .get(function() { return this._password; });

  User.method('authenticate', function(plainText) {
    return this.encryptPassword(plainText) === this.hashed_password;
  });
  
  User.method('makeSalt', function() {
    return Math.round((new Date().valueOf() * Math.random())) + '';
  });

  User.method('encryptPassword', function(password) {
    return crypto.createHmac('sha1', this.salt).update(password).digest('hex');
  });

I don't know how to decrypt it in order to get the original password back. any help will be appreciated.

Upvotes: 3

Views: 11763

Answers (2)

Anthony Bullard
Anthony Bullard

Reputation: 36

I think the best solution here would be to allow the user to answer some security questions and then be able to reset the password by clicking a link sent to the email in their profile. They might end up setting it to the same password, but that is not your concern. This allows you to not having to worry about unhashing the password.

Of course this is harder if you did not provide for this in the original sign-up form. But if your service isn't actually launched yet, this should be very easy to implement.

Upvotes: 1

Mike Scott
Mike Scott

Reputation: 4805

The password is hashed, not encrypted, and you can't get the original back -- that's the whole point of hashing, it's a one-way function. You shouldn't ever need to get the original back, as you have no legitimate use for it. To validate a user, you hash the password that they give you in the same way as the stored one, then compare the hashes.

Upvotes: 19

Related Questions