bcrypt算法是否真的不需要生成盐值?

huangapple go评论90阅读模式
英文:

Is it really not required to generate salts for bcrypt?

问题

我正在使用golang.org/x/crypto/bcrypt包来存储密码。根据文档和其他SO的问题,似乎我不应该(或者至少不需要)在生成哈希之前为密码生成盐。这似乎与我所读到的有关密码学和现代密码存储的一切相悖,让我有点不安。只将用户的普通密码传递给bcrypt.GenerateFromPassword是否真的足够安全,还是我理解错了?

英文:

I'm using the golang.org/x/crypto/bcrypt package for storing passwords. Looking at documentation and other SO questions, it seems like I'm not supposed to (or at least don't have to) generate a salt for the password before I generate the hash. This seems counter to everything that I've read about cryptography and modern password storing, and makes me a bit nervous. Is it really secure enough to just pass the user's normal password into bcrypt.GenerateFromPassword, or am I reading things wrong?

答案1

得分: 3

bcrypt包生成盐用于应用程序。GenerateFromPassword的返回值编码了密码的成本、盐和哈希值。

英文:

The bcrypt package generates the salt for the application. The return value from GenerateFromPassword encodes the cost, salt and hash of the password.

huangapple
  • 本文由 发表于 2016年4月8日 04:29:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/36486573.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定