我需要用 bcrypt 存储盐吗? [英] Do I need to store the salt with bcrypt?

问题描述

bCrypt 的 javadoc 有关于如何加密密码的代码:

bCrypt's javadoc has this code for how to encrypt a password:

String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); 

要检查明文密码是否与之前散列过的密码匹配，请使用 checkpw 方法:

To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:

if (BCrypt.checkpw(candidate_password, stored_hash))
    System.out.println("It matches");
else
    System.out.println("It does not match");

这些代码片段对我来说意味着随机生成的盐被扔掉了.是这种情况，还是这只是一个误导性的代码片段?

These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?

推荐答案

盐被合并到哈希中(以 base64 样式格式编码).

The salt is incorporated into the hash (encoded in a base64-style format).

例如，在传统的 Unix 密码中，salt 被存储为密码的前两个字符.其余字符表示哈希值.checker 函数知道这一点，并将散列拉开以取回盐.

For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.

这篇关于我需要用 bcrypt 存储盐吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！