[英]Matching Hashed + Salted Passwords
I'm learning about encryption and security and I'm a little confused by a (possibly simple) concept. 我正在学习加密和安全性,我对一个(可能是简单的)概念感到困惑。
I understand how hashing and salts work for the most part, but I don't understand how functions match passwords. 我理解哈希和盐在大多数情况下是如何工作的,但我不明白函数如何匹配密码。 For example, here is part of passlib's documentation: 例如,以下是passlib文档的一部分:
>>> # import the hash algorithm
>>> from passlib.hash import sha256_crypt
>>> # generate new salt, and hash a password
>>> hash = sha256_crypt.encrypt("toomanysecrets")
>>> hash
'$5$rounds=80000$zvpXD3gCkrt7tw.1$QqeTSolNHEfgryc5oMgiq1o8qCEAcmye3FoMSuvgToC'
>>> # verifying the password
>>> sha256_crypt.verify("toomanysecrets", hash)
True
>>> sha256_crypt.verify("joshua", hash)
False
On the 4th line, it mentions generating a new salt, but as far as I can tell the salt is never stored alongside the password. 在第4行,它提到生成一个新的盐,但据我所知,盐永远不会与密码一起存储。
Why can I can store the hashed password as a string in a database and verify it later without providing a salt? 为什么我可以将散列密码作为字符串存储在数据库中,并在以后验证它而不提供盐?
Per the documentation : 根据文件 :
An sha256-crypt hash string has the format
$5$rounds=rounds$salt$checksum
sha256-crypt哈希字符串的格式$5$rounds=rounds$salt$checksum
The salt (in your case 'zvpXD3gCkrt7tw.1'
) is stored within the string itself ; salt(在你的情况下是'zvpXD3gCkrt7tw.1'
)存储在字符串本身中 ; that's why it doesn't need to be stored separately. 这就是为什么它不需要单独存储。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.