Bcrypt 为相同的输入生成不同的哈希值? [英] Bcrypt generates different hashes for the same input?

问题描述

我刚刚为我的新 grails 项目添加了一个注册功能.为了测试它，我通过提供电子邮件和密码进行了注册.在将密码保存到数据库之前，我使用 bcrypt 算法对密码进行散列.

I just added a registration functionality to my new grails project. For testing it, I registered by giving an email and a password. I am using bcrypt algorithm for hashing the password before saving it to the database.

但是，当我尝试使用注册时提供的相同电子邮件和密码登录时，登录失败.我调试了应用程序，发现当我尝试与数据库中已经散列的散列进行比较时，为相同密码生成的散列是不同的，因此登录失败 (Registration.findByEmailAndPassword(params.email,hashPassd) 在 LoginController.groovy 中返回 null).

However when I try to login with the same email and password that I gave while registering, login fails. I debugged the application and found out that the hash that is generated for the same password is different when I try to compare with the already hashed one from database and hence the login is failing (Registration.findByEmailAndPassword(params.email,hashPassd) in LoginController.groovy returns null).

这是我的域类 Registration.groovy:

Here's my domain class Registration.groovy:

class Registration {

   transient springSecurityService

   String fullName
   String password
   String email

   static constraints = {
      fullName(blank:false)
      password(blank:false, password:true)
      email(blank:false, email:true, unique:true)
   }

   def beforeInsert = {
      encodePassword()
   }

   protected void encodePassword() {
      password = springSecurityService.encodePassword(password)
   }
}

这是我的 LoginController.groovy:

Here's my LoginController.groovy:

class LoginController {

   /**
    * Dependency injection for the springSecurityService.
    */
   def springSecurityService

   def index = {
      if (springSecurityService.isLoggedIn()) {
         render(view: "../homepage")
      }
      else {
         render(view: "../index")
      }
   }

   /**
    * Show the login page.
    */
   def handleLogin = {

      if (springSecurityService.isLoggedIn()) {
         render(view: "../homepage")
         return
      }

      def hashPassd = springSecurityService.encodePassword(params.password)
      // Find the username
      def user = Registration.findByEmailAndPassword(params.email,hashPassd)
      if (!user) {
         flash.message = "User not found for email: ${params.email}"
         render(view: "../index")
         return
      } else {
         session.user = user
         render(view: "../homepage")
      }
   }
}

这是我的 Config.groovy 中的一个片段，它告诉 grails 使用 bcrypt 算法来散列密码和密钥的轮数:

Here's a snippet from my Config.groovy telling grails to use bcrypt algorithm to hash passwords and the number of rounds of keying:

grails.plugins.springsecurity.password.algorithm = 'bcrypt'
grails.plugins.springsecurity.password.bcrypt.logrounds = 16

推荐答案

Jan 是正确的 - bcrypt 的设计不会为每个输入字符串生成相同的哈希值.但是有一种方法可以检查散列密码是否有效，并将其合并到关联的密码编码器中.因此，为控制器中的 passwordEncoder bean 添加依赖项注入 (def passwordEncoder) 并将查找更改为

Jan is correct - bcrypt by design doesn't generate the same hash for each input string. But there's a way to check that a hashed password is valid, and it's incorporated into the associated password encoder. So add a dependency injection for the passwordEncoder bean in your controller (def passwordEncoder) and change the lookup to

def handleLogin = {

   if (springSecurityService.isLoggedIn()) {
      render(view: "../homepage")
      return
   }

   def user = Registration.findByEmail(params.email)
   if (user && !passwordEncoder.isPasswordValid(user.password, params.password, null)) {
      user = null
   }

   if (!user) {
      flash.message = "User not found for email: ${params.email}"
      render(view: "../index")
      return
   }

   session.user = user
   render(view: "../homepage")
}

请注意，您没有对 isPasswordValid 调用的密码进行编码 - 传递明文提交的密码.

Note that you don't encode the password for the isPasswordValid call - pass in the cleartext submitted password.

此外 - 完全无关 - 将用户存储在会话中是一个坏主意.auth 主体随时可用并存储用户 ID，以便根据需要轻松重新加载用户(例如 User.get(springSecurityService.principal.id).存储断开连接的潜在大型 Hibernate 对象在以下情况下效果很好开发模式，当您是服务器的唯一用户时，但可能会严重浪费内存并迫使您解决断开连接的对象(例如，必须使用 merge 等).

Also - completely unrelated - it's a bad idea to store the user in the session. The auth principal is readily available and stores the user id to make it easy to reload the user as needed (e.g. User.get(springSecurityService.principal.id). Storing disconnected potentially large Hibernate objects works great in dev mode when you're the only user of your server, but can be a significant waste of memory and forces you to work around the objects being disconnected (e.g. having to use merge, etc.).

这篇关于Bcrypt 为相同的输入生成不同的哈希值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！