设计使用什么密码散列算法?
[英]What password hashing algorithm does devise use?
问题描述
I would like to store and validate passwords in a ruby application that does not use devise, and have them be compatible with a future application that does use devise.
我想在不使用设计的 ruby 应用程序中存储和验证密码,并使它们与未来使用设计的应用程序兼容。 What is the default password hashing scheme that devise uses, and is it possible to extract and use just this component from devise? devise 使用的默认密码散列方案是什么,是否可以从 devise 中提取和使用这个组件?
1 个解决方案
解决方案1
3 2017-08-31 19:38:58
Devise's DatabaseAuthenticatable module uses BCrpyt to hash passwords, wrapped up in the Devise::Encryptor module. Devise 的 DatabaseAuthenticatable 模块使用 BCrpyt 来散列密码,封装在Devise::Encryptor模块中。 The relevant method, digest , is pretty simple:相关的方法digest非常简单:
def self.digest(klass, password)
if klass.pepper.present?
password = "#{password}#{klass.pepper}"
end
::BCrypt::Password.create(password, cost: klass.stretches).to_s
end
klass is only used to fetch a couple parameters: pepper , a string which is appended onto the password pre-hashing but not stored in the database (unlike salt, which is appended as well but stored with the password in the DB); klass仅用于取几个参数: pepper ,它被附加到所述密码预散列而不是存储在数据库中的字符串(不同于盐,其被附加,以及,但存储有在DB中的密码); and cost , a measure of how secure the hash should be (see the docs ).和cost ,衡量散列应该有多安全(参见文档)。 Both of these are static and you can hard-code them into your non-Devise app (but make sure to keep pepper secret!).这两个都是静态的,您可以将它们硬编码到您的非设计应用程序中(但请确保对pepper保密!)。
So, your hash method might be written just as:因此,您的哈希方法可能会写成:
def self.digest(password)
password = "#{password}#{ENV['PASSWORD_PEPPER']}"
::BCrypt::Password.create(password, cost: 10).to_s
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.