Bcrypt为相同密码生成不同的哈希值

huangapple go评论90阅读模式
英文:

Bcrypt generating different hash for the same password

问题

我正在使用Go语言中的Bcrypt来对用户提供的密码进行哈希和比较。问题是,在登录时,当我使用CompareHashAndPassword函数比较密码时,它从来都不匹配,所以总是显示密码不正确。根据哈希的概念,相同的输入应该得到相同的输出,但在我的情况下并非如此。

我用于哈希的代码(在注册时)

bs, err := bcrypt.GenerateFromPassword([]byte(Password), bcrypt.MinCost)

我所做的

  • 将密码设置为:12345

  • 当我打印bs时,得到以下结果:

    尝试1: [36 50 97 36 48 52 36 49 104 78 117 77 56 73 113 99 114 78 99 111 100 57 57 120 101 69 117 118 117 103 87 108 68 76 88 70 119 110 65 116 68 108 118
    57 68 86 81 88 77 50 71 78 101 81 104 65 54 67 107 121]

尝试2:
[36 50 97 36 48 52 36 47 50 84 70 73 120 56 70 67 116 69 101 48 113 86 89 103 89 119 71 97 46 120 77 116 83 86 57 56 112 122 66 103 46 106 74 104 10
8 82 113 117 85 110 51 103 115 107 109 102 109 49 115 113]

尝试3:
[36 50 97 36 48 52 36 51 103 97 117 103 49 74 110 113 85 101 113 54 121 69 108 109 72 76 108 72 46 85 121 65 87 122 103 119 88 71 82 114 56 105 65 6
9 49 113 73 112 52 48 85 69 85 47 118 56 56 47 48 67]

请纠正我如果我错了,但在所有这些尝试中,结果不应该是相同的吗?

然后,我将这些值保存在数据库中,每个尝试的值如下:

  1. $2a$04$1hNuM8IqcrNcod99xeEuvugWlDLXFwnAtDlv9DVQXM2GNeQhA6Cky
  2. $2a$04$/2TFIx8FCtEe0qVYgYwGa.xMtSV98pzBg.jJhlRquUn3gskmfm1sq
  3. $2a$04$3gaug1JnqUeq6yElmHLlH.UyAWzgwXGRr8iAE1qIp40UEU/v88/0C

然后,在登录时,为了比较密码:

err := bcrypt.CompareHashAndPassword(user.Password, []byte(p))

user.Password 是一个[]byte类型的值,该值从数据库中查询得到。

谢谢
p 是用户在表单中发送的密码

英文:

I am using Bcrypt in Go to hash and compare the password given by the user. The thing is in the login, when I compare the password using CompareHashAndPassword it never matches so always says that the password is incorrect. Based on the concept of hash is supposed that with the same input we will have anytime the same output, and this is not my case.

**My code to hash (in the sign up) **

bs, err := bcrypt.GenerateFromPassword([]byte(Password), bcrypt.MinCost)

What I did

  • Send as password: 12345

  • When I print bs I get:

    Attempt 1: [36 50 97 36 48 52 36 49 104 78 117 77 56 73 113 99 114 78 99 111 100 57 57 120 101 69 117 118 117 103 87 108 68 76 88 70 119 110 65 116 68 108 118
    57 68 86 81 88 77 50 71 78 101 81 104 65 54 67 107 121]

Attempt 2:
[36 50 97 36 48 52 36 47 50 84 70 73 120 56 70 67 116 69 101 48 113 86 89 103 89 119 71 97 46 120 77 116 83 86 57 56 112 122 66 103 46 106 74 104 10
8 82 113 117 85 110 51 103 115 107 109 102 109 49 115 113]

Attempt 3:
[36 50 97 36 48 52 36 51 103 97 117 103 49 74 110 113 85 101 113 54 121 69 108 109 72 76 108 72 46 85 121 65 87 122 103 119 88 71 82 114 56 105 65 6
9 49 113 73 112 52 48 85 69 85 47 118 56 56 47 48 67]

Correct me if I am wrong, but in all that attempts the result should not be the same?

Then, I save that values in the database and these are the values for each attempt:

  1. $2a$04$1hNuM8IqcrNcod99xeEuvugWlDLXFwnAtDlv9DVQXM2GNeQhA6Cky
  2. $2a$04$/2TFIx8FCtEe0qVYgYwGa.xMtSV98pzBg.jJhlRquUn3gskmfm1sq
  3. $2a$04$3gaug1JnqUeq6yElmHLlH.UyAWzgwXGRr8iAE1qIp40UEU/v88/0C

Then, to compare the password, in the login:

err := bcrypt.CompareHashAndPassword(user.Password, []byte(p))

user.Password is a []byte this value is conusulted from the database

Thank you
p is the password send in the form by the user

答案1

得分: 10

Bcrypt生成一个随机的盐(作为结果哈希的一部分)。因此,每次生成的哈希都是不同的。

你需要使用bcrypt.CompareHashAndPassword来比较哈希密码和明文密码。

bcrypt.CompareHashAndPassword的第一个参数是哈希密码,第二个参数是明文密码。所以你传递它们的顺序是错误的。

警告:你选择的成本因子4非常低。考虑选择类似10或更高的值。

英文:

Bcrypt generates a random salt (that is included as a part of the resulting hash). So it is different every time with purpose.

You need to use bcrypt.CompareHashAndPassword to compare the hashed password and the plaintext password.

The first argument of bcrypt.CompareHashAndPassword is the hashed password, the second is the plaintext password. <del>So you passed them in the wrong order.</del>

WARNING: the cost you've chosen 4 is extremely low. Consider choosing something like 10 or over.

huangapple
  • 本文由 发表于 2017年6月14日 07:37:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/44533183.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定