Meteor,为什么散列后密码相同,数据库中存储的字符串不同
Meteor,why same password after hashing, different string stored in database
我发现 Meteor 默认使用 sha-256 来散列密码。但我很困惑,每个帐户的相同密码在散列后变成存储在数据库中的不同字符串。谁能说说具体实现,thx
根据 Meteor 文档,accounts-password uses bcrypt。
如果你查看loginWithPassword, you should be able to find out where the salt is stored. As a second source, read MasterAM's which indicates that Meteor from 2011 on uses y$ hash strings, i.e. PHP CRYPT_BLOWFISH的源代码,它使用了
CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "a$", "x$" or "y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithmeter and must be in range 04-31, values outside this range will cause crypt() to fail. Versions of PHP before 5.3.7 only support "a$" as the salt prefix: PHP 5.3.7 introduced the new prefixes to fix a security weakness in the Blowfish implementation. Please refer to » this document for full details of the security fix, but to summarise, developers targeting only PHP 5.3.7 and later should use "y$" in preference to "a$".
因此,在数据库中查找 $2y$ 字符串,并从中提取盐。
我发现 Meteor 默认使用 sha-256 来散列密码。但我很困惑,每个帐户的相同密码在散列后变成存储在数据库中的不同字符串。谁能说说具体实现,thx
根据 Meteor 文档,accounts-password uses bcrypt。
如果你查看loginWithPassword, you should be able to find out where the salt is stored. As a second source, read MasterAM's
CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "a$", "x$" or "y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithmeter and must be in range 04-31, values outside this range will cause crypt() to fail. Versions of PHP before 5.3.7 only support "a$" as the salt prefix: PHP 5.3.7 introduced the new prefixes to fix a security weakness in the Blowfish implementation. Please refer to » this document for full details of the security fix, but to summarise, developers targeting only PHP 5.3.7 and later should use "y$" in preference to "a$".
因此,在数据库中查找 $2y$ 字符串,并从中提取盐。