Getting familiar with encrypted passwords Parse.com when moving to another server

Today I want to tell you about my solution of problem, which developers have when move from Parse.com to Firebase (or another server).

Those developers, who used or use now Parse authorization in their apps know, that passwords of users are crypted. It means, that developer can not know these passwords.

Of course it is very important in terms of security. But developers must understand how to solve this problem.

Those, who works with Firebase knows that data stored in a json format. Therefore available json import files. In Parse.com also have a wonderful option — export data (in the app settings). When you click the export button, in the e-mail sent to an archive with all the application data in json format.

And it is here that there is a small problem. All fields, as expected, contains values. But the password is encrypted.

A little digging in the service documentation, you can find that is used bcrypt. But how the application can understand — the password matches with encrypted or not?

On the Internet you can find some useful resources to check bcrypt and information about bcrypt. I will bring them here:

1)http://stackoverflow.com/questions/5881169/what-column-type-length-should-i-use-for-storing-a-bcrypt-hashed-password-in-a-d/5882472#5882472 — here you can find a detailed description about bcrypt.

2)https://www.dailycred.com/article/bcrypt-calculator — calculator for generating hashes certain order and check password match previously generated hash (line differ even in the same password)

3)http://bcrypthashgenerator.apphb.com/ — bcrypt hash generator

4)https://www.bcrypt-generator.com/ — another one

An open question remains — how to check a coincidence of hash stored in our json data storage and the generated hash of the entered password.

To implement such check, we will use jBcrypt library (there are analogues for other languages).

import org.mindrot.jbcrypt.BCrypt;
public class Main {
public static void main(String[] args) {
String candidateParseCom =
“$2a$08$osg6o7pLGfsJryTLeZY2O.8iXC2RErtvd598tcCJKoc8I3l5Amj3S”;
String password = “123”;
if (BCrypt.checkpw(password, candidateParseCom)) {
System.out.println(“It matches”);
}
else {
System.out.println(“It does not match”);
}
}
}

Any additional information can be found in the documentation for that library.

In this example, we get the user’s password and compare with the encrypted data json (the field parse.com password). If the password hashing makes the same, by the standards of bcrypt, the result — we can let user further.

Hope it helps.

Best regards.

Author’s blog — http://junior-freelancer.weebly.com/

Google+ group https://plus.google.com/communities/116909412700470024472