stackoom
  简体   繁体   中英

Do I need to store the salt with bcrypt?

 原文  2008-11-10 04:14:55       java/ encryption/ passwords/ salt/ bcrypt

Question

bCrypt's javadoc has this code for how to encrypt a password: 

String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());

To check whether a plaintext password matches one that has been hashed previously, use the checkpw method: 

if (BCrypt.checkpw(candidate_password, stored_hash))
    System.out.println("It matches");
else
    System.out.println("It does not match");

These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?

1 answers

solution1
 210 ACCPTED  2008-11-10 04:33:24

The salt is incorporated into the hash (encoded in a base64-style format).

For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How Do I Separate The Salt from the Hash After Encrypting a Password with bCrypt using Java? BCrypt Salt: Invalid Salt Length PHP Bcrypt Salt as of 7.0 BCrypt: how can I generate a salt from the string I am hashing? BCrypt.checkpw() Invalid salt version exception How do I compare salt with a generated password? Where do we store key/passphrase/salt for encryption? How do I store a password that I need the true value for? Do I need SQLite in order to store some data on MySQL database How do I store data in Java without need of extra software?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM