我需要用bcrypt存放盐吗? [英] Do I need to store the salt with bcrypt?
问题描述
bCrypt的javadoc 有如何加密密码的代码:
bCrypt's javadoc has this code for how to encrypt a password:
String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());
<如果(BCrypt.checkpw(candidate_password,stored_hash))
System.out.println(It matches); p>
To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:
if (BCrypt.checkpw(candidate_password, stored_hash))
System.out.println("It matches");
else
System.out.println("It does not match");
这些代码片段暗示我随机生成的盐被丢弃。这是这种情况,还是这只是一个误导性的代码片段?
These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?
推荐答案
盐被并入哈希(编码在base64风格的格式)。
The salt is incorporated into the hash (encoded in a base64-style format).
例如,在传统的Unix密码中,salt被存储为密码的前两个字符。剩余的字符表示哈希值。 checker函数知道这一点,并将哈希值分开,以使盐回收。
For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.
这篇关于我需要用bcrypt存放盐吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
