You're HASHING, not ENCRYPTING!
What's the difference?
The difference is that hashing is a one way function, where encryption is a two-way function.
So, how do you ascertain that the password is right?
Therefore, when a user submits a password, you don't decrypt your stored hash, instead you perform the same bcrypt
operation on the user input and compare the hashes. If they're identical, you accept the authentication.
Should you hash or encrypt passwords?
What you're doing now -- hashing the passwords -- is correct. If you were to simply encrypt passwords, a breach of security of your application could allow a malicious user to trivially learn all user passwords. If you hash (or better, salt and hash) passwords, the user needs to crack passwords (which is computationally expensive on bcrypt
) to gain that knowledge.
As your users probably use their passwords in more than one place, this will help to protect them.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…