encryptionhashpasswordsbcrypthashcat

Can a Password Reset Token be Used to Unhash Bcrypt Hashes?

I have the hash and the reset token to a bcrypt hash .Just wondering if it can help with unhashing it.

Hashid identify the hash as bigcrypt,it means bcrypt right?

Just wondering if it can work,i haven't tried nothing yet .

Solution

  • BigCrypt isn't the same thing as bcrypt. BigCrypt (aka BSDi crypt) is an improved variant of DES crypt developed by BSDi that supports non-truncated longer passwords, a bigger salt, and a variable work factor.

    For comparison, a BigCrypt hash looks like this:

    _FQ0.amG/zwCMip7DnBk

    ... and a bcrypt hash looks like this:

    $2y$12$4HzMep8Ak2aXyx9Ldg32qOWYR5qSCxrQH619Ejk4qgmLZPq5.Sf4K

    BigCrypt hashes aren't currently supported by hashcat, but John the Ripper does support them as the 'bdsicrypt' format. (I think they may also be automatically detected by the 'descrypt' format as well, but I haven't tested that.).

    So you should be able to use John the Ripper to crack these hashes, with something like:

    $ john hash.txt --format=bsdicrypt --wordlist wordlist.txt

Using default input encoding: UTF-8
Loaded 1 password hash (bsdicrypt, BSDI crypt(3) [DES 512/512 AVX512F])
Cost 1 (iteration count) is 10001 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
password         (?)     
1g 0:00:00:00 DONE (2023-06-03 09:50) 16.67g/s 136533p/s 136533c/s 136533C/s 123456..nelly1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

    If the hash does turn out to be true bcrypt, just replace 'bsdicrypt' with 'bcrypt' in the command above.

    Password reset tokens are usually totally unrelated to the hash itself. They're usually just a way for the application to track the validity and/or status of a user's password reset request.

    (Side note: it's best to avoid words like "dehashing", "decrypting", "unhashing", etc. when talking about password hashes, because these terms all imply some kind of reversibility that isn't possible with password hashes, by design. The term of art in this space is 'cracking', where we just guess many different possible plaintexts and see if they produce the target hash.)