英文:
Is it really not required to generate salts for bcrypt?
问题
我正在使用golang.org/x/crypto/bcrypt包来存储密码。根据文档和其他SO的问题,似乎我不应该(或者至少不需要)在生成哈希之前为密码生成盐。这似乎与我所读到的有关密码学和现代密码存储的一切相悖,让我有点不安。只将用户的普通密码传递给bcrypt.GenerateFromPassword是否真的足够安全,还是我理解错了?
英文:
I'm using the golang.org/x/crypto/bcrypt package for storing passwords. Looking at documentation and other SO questions, it seems like I'm not supposed to (or at least don't have to) generate a salt for the password before I generate the hash. This seems counter to everything that I've read about cryptography and modern password storing, and makes me a bit nervous. Is it really secure enough to just pass the user's normal password into bcrypt.GenerateFromPassword, or am I reading things wrong?
答案1
得分: 3
bcrypt包生成盐用于应用程序。GenerateFromPassword的返回值编码了密码的成本、盐和哈希值。
英文:
The bcrypt package generates the salt for the application. The return value from GenerateFromPassword encodes the cost, salt and hash of the password.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论