使用Flask-Security的每位用户唯一的盐 [英] Unique Salt per User using Flask-Security

问题描述

在这里阅读了一些关于加盐的密码之后，似乎最好为每个用户使用一个唯一的盐.我正在实施Flask-Security atm，从文档看来，您只能设置一个全局盐:即SECURITY_PASSWORD_SALT ='thesalt'

After reading here a bit about salting passwords, it seems that it's best to use a unique salt for each user. I'm working on implementing Flask-Security atm, and from the documentation it appears you can only set a global salt: ie SECURITY_PASSWORD_SALT = 'thesalt'

问题:如何为每个密码制作一个唯一的盐?

Question: How would one go about making a unique salt for each password?

谢谢！

edit:从Flask-Security的文档中，我发现了这一点，这似乎再次表明该模块为所有开箱即用的密码仅使用了一个盐.

edit: from the docs on Flask-Security, I found this, which seems to again suggest that this module only uses a single salt for all passwords out of the box.

flask_security.utils.get_hmac(password)
    Returns a Base64 encoded HMAC+SHA512 of the password signed with the salt 
    specified by SECURITY_PASSWORD_SALT.

推荐答案

是的，如果使用bcrypt(以及其他方案，例如des_crypt，pbkdf2_sha256，pbkdf2_sha512，sha256_crypt，sha512_crypt)，Flask-Security确实会按用户使用盐.

Yes, Flask-Security does use per-user salts by design if using bcrypt (and other schemes such as des_crypt, pbkdf2_sha256, pbkdf2_sha512, sha256_crypt, sha512_crypt).

"SECURITY_PASSWORD_SALT"的配置仅用于HMAC加密.如果您将bcrypt用作哈希算法，则Flask-Security使用passlib进行哈希，并且在哈希过程中会生成随机盐.在第268期中提到了这种混淆: https://github.com/mattupstate/flask-security/issues/268

The config for 'SECURITY_PASSWORD_SALT' is only used for HMAC encryption. If you are using bcrypt as the hashing algorithm Flask-Security uses passlib for hashing and it generates a random salt during hashing. This confustion is noted in issue 268: https://github.com/mattupstate/flask-security/issues/268

可以在代码中进行验证，从加密到passlib:

It can be verified in the code, walking from encrypt to passlib:

flask_security/utils.py(第143-151、39和269行)

flask_security/utils.py (lines 143-151, 39, and 269)

def encrypt_password(password):
   ...
   return _pwd_context.encrypt(signed)

_pwd_context = LocalProxy(lambda: _security.pwd_context)

flask_security/core.py(269、244-251和18)

flask_security/core.py (269, 244-251, and 18)

pwd_context=_get_pwd_context(app)

def _get_pwd_context(app):
    ...
    return CryptContext(schemes=schemes, default=pw_hash, deprecated=deprecated)

from passlib.context import CryptContext

，最后来自: https://pythonhosted.org/passlib/password_hash_api.html#passlib .ifc.PasswordHash.encrypt

请注意，每次调用crypto()都会产生一个新的盐，

note that each call to encrypt() generates a new salt,

这篇关于使用Flask-Security的每位用户唯一的盐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！