How to decode the user password from the database


#1

We are currently developing an intermediate system between loraappserver and user-oriented. We need to process the user password stored in LORA_APP, but we are currently experiencing a problem. When we want to get the password in the user table in the postgresql database. When the field is encrypted, the password field is encrypted, so I would like to ask everyone, what is the encryption method of the lora user’s password? How can I decrypt it from the database? Thank you!


#2

Looks like PBKDF2.


#3

Notice that in general passwords are not encrypted (this is a really bad idea) but hashed and salted. The whole idea is that given a user’s password in plain text and the salt you may hash it and compare with the stored hash to see that it matches, but you cannot derive the user’s password from the stored hash. I’m mentioning this because of your question:

You can’t and shouldn’t. Instead, if you want to authenticate your users from the intermediate system you may use the already available lora-app-server’s API, or manually read the stored hash from the DB and do the comparison yourself, just like in the hashCompare function referenced by Brian.


#4

thank you for your answer. but can you tell me how can i get the value of the paramater iterations


#5

Thank you for your answer! I will take a closer look at the API documentation later.


#6

The hashing algorithm, iterations and salt are stored along with the hashed password separated by $. For example, if you have this string:

PBKDF2$sha512$100000$4u3hL8krvlMIS0KnCYXeMw==$G7c7tuUYq2zSJaUeruvNL/KF30d3TVDORVD56wzvJYmc3muWjoaozH8bHJ7r8zY8dW6Pts2bWyhFfkb/ubQZsA==

Then the algorithm is SHA512, the number of iterations is 100000 and the (base64 encoded) salt is 4u3hL8krvlMIS0KnCYXeMw==.


#7

Thank you, I found the field you just mentioned in the database. I will try it.Hope can be achieved


#8

What exactly are you trying to do … reconstruct the plain text password from the stored hash?


#9

This was considered at the beginning, but it is not feasible. Now I directly use the hashcompare method in the lora source to verify.