为什么 compareSync 不需要 salt 字符串?
why does compareSync not need salt string?
我正在尝试使用 bcryptjs 生成用户密码的哈希值。但是我在一件事上有点困惑。
按照惯例,根据this文章,我们需要:
- 让我们的密码哈希值相对较长且唯一,
- 散列用此盐加盐的用户密码
- 将加盐的散列密码与盐一起存储
因此,当我们在验证用户时比较哈希值时,我们将存储的盐附加到用户输入的密码中,并将其与数据库中的哈希值进行比较。
然而使用bcryptjs的hashSync和compareSync如下:
//hashSync to generate hash
var bcrypt = require('bcryptjs');
var password = "abc";
var hash = bcrypt.hashSync( <some string>, < integer length of salt>) // the salt of mentioned length(4-31) is self-generated which is random and fairly unique
//compareSYnc to compare hash
var testString="abc";
console.log(bcrypt.compareSync(testString, hash)) // compares with previously generated hash returns "true" in this case.
我很困惑的是,如果我们在认证时不需要salt,生成它有什么意义? compareSync returns true 没有盐的访问。那么它不会使相对较小的密码的暴力攻击变得容易吗?无论盐大小如何,以下所有 returns 为真:
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc"))); // consoles true. by default, if salt size is not mentioned, size is 10.
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc", 4))); //consoles true
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc", 8))); //consoles true
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc", 32))); //consoles true
console.log(bcrypt.compareSync("ab", bcrypt.hashSync("abc", 4))); //consoles false
我希望我能清楚地解释我的困惑。
bcrypt 标准使存储盐变得容易 - 检查密码所需的一切都存储在输出字符串中。
The prefix "a$" or "2y" in a hash string in a shadow password file indicates that hash string is a bcrypt hash in modular crypt format. The rest of the hash string includes the cost parameter, a 128-bit salt (base-64 encoded as 22 characters), and the 192-bit[dubious – discuss] hash value (base-64 encoded as 31 characters).
我正在尝试使用 bcryptjs 生成用户密码的哈希值。但是我在一件事上有点困惑。
按照惯例,根据this文章,我们需要:
- 让我们的密码哈希值相对较长且唯一,
- 散列用此盐加盐的用户密码
- 将加盐的散列密码与盐一起存储
因此,当我们在验证用户时比较哈希值时,我们将存储的盐附加到用户输入的密码中,并将其与数据库中的哈希值进行比较。
然而使用bcryptjs的hashSync和compareSync如下:
//hashSync to generate hash
var bcrypt = require('bcryptjs');
var password = "abc";
var hash = bcrypt.hashSync( <some string>, < integer length of salt>) // the salt of mentioned length(4-31) is self-generated which is random and fairly unique
//compareSYnc to compare hash
var testString="abc";
console.log(bcrypt.compareSync(testString, hash)) // compares with previously generated hash returns "true" in this case.
我很困惑的是,如果我们在认证时不需要salt,生成它有什么意义? compareSync returns true 没有盐的访问。那么它不会使相对较小的密码的暴力攻击变得容易吗?无论盐大小如何,以下所有 returns 为真:
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc"))); // consoles true. by default, if salt size is not mentioned, size is 10.
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc", 4))); //consoles true
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc", 8))); //consoles true
console.log(bcrypt.compareSync("abc", bcrypt.hashSync("abc", 32))); //consoles true
console.log(bcrypt.compareSync("ab", bcrypt.hashSync("abc", 4))); //consoles false
我希望我能清楚地解释我的困惑。
bcrypt 标准使存储盐变得容易 - 检查密码所需的一切都存储在输出字符串中。
The prefix "a$" or "2y" in a hash string in a shadow password file indicates that hash string is a bcrypt hash in modular crypt format. The rest of the hash string includes the cost parameter, a 128-bit salt (base-64 encoded as 22 characters), and the 192-bit[dubious – discuss] hash value (base-64 encoded as 31 characters).