Java 我需要用 bcrypt 存储盐吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/277044/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Do I need to store the salt with bcrypt?
提问by RodeoClown
bCrypt's javadochas this code for how to encrypt a password:
bCrypt 的 javadoc有关于如何加密密码的代码:
String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());
To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:
要检查明文密码是否与先前散列的密码匹配,请使用 checkpw 方法:
if (BCrypt.checkpw(candidate_password, stored_hash))
System.out.println("It matches");
else
System.out.println("It does not match");
These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?
这些代码片段对我来说意味着随机生成的盐被扔掉了。是这种情况,还是这只是一个误导性的代码片段?
采纳答案by Greg Hewgill
The salt is incorporated into the hash (encoded in a base64-style format).
盐被合并到哈希中(以 base64 样式格式编码)。
For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.
例如,在传统的 Unix 密码中,salt 被存储为密码的前两个字符。其余字符表示哈希值。检查器函数知道这一点,并将散列拉开以取回盐。
