标签: bcrypt

我正在使用crypt()PHP中的密码哈希,并且我正在尝试在执行密码检查时找出最安全的方法来测试生成的哈希的相等性.

我可以看到三个选项:

选项1 - 双等于

function checkPassword($hash, $password)
{
    return crypt($password, $hash) == $hash;
}

选项2 - 三等于

function checkPassword($hash, $password)
{
    return crypt($password, $hash) === $hash;
}

备选案文3 - strcmp()

function checkPassword($hash, $password)
{
    return strcmp(crypt($password, $hash), $hash) === 0;
}

我的直觉告诉我,由于缺乏类型检查,选项1是一个坏主意,选项2或3可能更好.但是,如果有特定情况===或者strcmp会失败,我就无法解决.哪个是最安全的？

问题是同一个标题,BCrypt使用$ 2x $？

以下情况是对的吗？

$2a$当服务器PHP版本更早时,我们有一组已经使用前缀进行哈希处理的密码5.3.7.现在我们将PHP升级到5.3.7+,现在我们必须先用$2x$算法验证以前的密码然后用$2y$前缀重新密码.那就对了？

我正在尝试使用BCrypt在我的Play 2.1中实现身份验证.Java应用程序,但是Invalid salt version exception当我尝试验证用户时,我得到了.

这是我的堆栈跟踪

play.api.Application$$anon$1: Execution exception[[IllegalArgumentException: Invalid salt version]]
at play.api.Application$class.handleError(Application.scala:289) ~[play_2.10.jar:2.1.0]
at play.api.DefaultApplication.handleError(Application.scala:383) [play_2.10.jar:2.1.0]
at play.core.server.netty.PlayDefaultUpstreamHandler$$anon$2$$anonfun$handle$1.apply(PlayDefaultUpstreamHandler.scala:132) [play_2.10.jar:2.1.0]
at play.core.server.netty.PlayDefaultUpstreamHandler$$anon$2$$anonfun$handle$1.apply(PlayDefaultUpstreamHandler.scala:128) [play_2.10.jar:2.1.0]
at play.api.libs.concurrent.PlayPromise$$anonfun$extend1$1.apply(Promise.scala:113) [play_2.10.jar:2.1.0]
at play.api.libs.concurrent.PlayPromise$$anonfun$extend1$1.apply(Promise.scala:113) [play_2.10.jar:2.1.0]
java.lang.IllegalArgumentException: Invalid salt version
at org.mindrot.jbcrypt.BCrypt.hashpw(BCrypt.java:664) ~[jbcrypt-0.3m.jar:na]
at org.mindrot.jbcrypt.BCrypt.checkpw(BCrypt.java:763) ~[jbcrypt-0.3m.jar:na]
at model.operations.DistrictOperations.authenticate(DistrictOperations.java:24) ~[na:na]
at controllers.Application.authenticateDistrict(Application.java:26) ~[na:na]
at Routes$$anonfun$routes$1$$anonfun$applyOrElse$2$$anonfun$apply$2.apply(routes_routing.scala:133) ~[na:na]
at Routes$$anonfun$routes$1$$anonfun$applyOrElse$2$$anonfun$apply$2.apply(routes_routing.scala:133) ~[na:na]

我正在使用以下maven存储库:http://mvnrepository.com/artifact/org.mindrot/jbcrypt/0.3m

因此,我的代码基于文档

district.setPassword(BCrypt.hashpw(json.findPath("password").getTextValue(), BCrypt.gensalt()));    

用于保存密码(我还检查密码为空)

BCrypt.checkpw(password, d.getPassword());

检查输入的密码是否正确,其中password是String,d.getPassword()是哈希密码.

我不知道这是否是相关信息,但准确地说,我正在使用hibernate for ORM和PostgreSQL 8.4作为DB.

我有点被困在这里,所以我问是否有人可以帮助我.比你提前多了.

我一直在阅读关于Gawker事件的文章,并且有几篇关于仅使用bcrypt哈希密码的文章,我想确保我的哈希机制足够安全以避免切换到另一种方法.在我目前的应用程序中,我选择了使用sha2-512和至少1000次迭代的PBKDF2实现.

我是否可以就使用PBKDF2与Bcrypt以及是否应该实施更改提出意见？

我正在为C寻找一个简单易用的跨平台bcrypt库.我搜索了几个地方,但似乎没有什么比较易于使用:

http://bcrypt.codeplex.com/SourceControl/changeset/view/1eef0262901c#BCrypt.Net.Test%2fTestBCrypt.cs

为什么这个噩梦的所有C实现都与这个.NET lib相比较？基本上我正在寻找2个功能.

1)生成盐(返回一个字符串)

2)使用给定salt&pw的哈希字符串(返回一个字符串)

嘿,当我尝试启动rails服务器时,我得到以下错误

有任何想法吗？目前还没有可行的解决方案......

顺便说一句,我运行Windows 8 ......可能是问题所在:D

C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:251:in `require': cannot load such file -- 1.9/bcry
pt_ext (LoadError)
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:251:in `block in require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:236:in `load_dependency'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:251:in `require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bcrypt-ruby-3.1.0-x86-mingw32/lib/bcrypt_ext.rb:2:in `<top (required)>'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:251:in `require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:251:in `block in require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:236:in `load_dependency'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-3.2.11/lib/active_support/dependencies.rb:251:in `require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bcrypt-ruby-3.1.0-x86-mingw32/lib/bcrypt.rb:12:in `<top (required)>'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bundler-1.3.4/lib/bundler/runtime.rb:72:in `require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bundler-1.3.4/lib/bundler/runtime.rb:72:in `block (2 levels) in require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bundler-1.3.4/lib/bundler/runtime.rb:70:in `each'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bundler-1.3.4/lib/bundler/runtime.rb:70:in `block in require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bundler-1.3.4/lib/bundler/runtime.rb:59:in `each'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bundler-1.3.4/lib/bundler/runtime.rb:59:in `require'
    from C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/bundler-1.3.4/lib/bundler.rb:132:in `require'
    from C:/Users/Enno/RubymineProjects/BookWriting2.0/config/application.rb:13:in `<top (required)>'
    from …

PASSWORD_DEFAULT和PASSWORD_BCRYPT有什么区别？他们都使用Blowfish加密算法吗？算法的成本是多少？如何在PHP中设置password_hash产生255哈希长度而不是60？

在将每个文档插入集合之前,我正在尝试存储salt和哈希密码.但在编码salt和密码时,它显示以下错误:

 line 26, in before_insert
 document['salt'] = bcrypt.gensalt().encode('utf-8')

AttributeError: 'bytes' object has no attribute 'encode'

这是我的代码:

def before_insert(documents):
    for document in documents:
        document['salt'] = bcrypt.gensalt().encode('utf-8')
        password = document['password'].encode('utf-8')
        document['password'] = bcrypt.hashpw(password, document['salt'])

我在virtualenv中使用eve框架和python 3.4

bcrypt如何强大,比方说,

def md5lots(password, salt, rounds):
    if (rounds < 1)
        return password
    else
        newpass = md5(password + salt)
        return md5lots(newpass, salt, rounds-1)

考虑到它的炒作,我得到的感觉是,比我更聪明的人已经发现bcrypt比这更好.有人能解释"聪明的外行人"条款的差异吗？

我无法使用BCrypt的checkpw(plaintextpw,previoushash)方法获取明文密码和之前的哈希值.

在寄存器servlet中,我获取输入的密码,使用BCrypt的hashpw(密码,genSalt)方法对其进行散列并将其存储在db中.

在登录servlet中,我从db中获取该哈希值,并使用BCrypt的checkpw来查看它是否与输入的密码匹配.

它从不匹配.这在我的常规Java应用程序中工作正常,而不是在webapp中.没有其他人有这个问题所以我认为我一定是做错了:

//RegisterServlet

String pw_hash = BCrypt.hashpw(request.getParameter("password"), BCrypt.gensalt()); 

String loginInsertString = "insert into login (loname,lopassword,locustomerid)" +
                    " VALUES ('" + username + "','" + pw_hash + "','" + loginInsert +     "');";


//LoginServlet

ResultSet rs = stmt.executeQuery("select lopassword from login where loname = '" +
                    loginName + "';");
            while( rs.next()){
                dbhash = rs.getString(1);

            }
            out.println(dbhash+"<br>");

if (BCrypt.checkpw(request.getParameter("password"), dbhash)) {
                out.println("It matches");
            }else{
                out.println("It does not match");
            }

BCrypt API非常简单 - 这里

我不存储盐,因为BCrypt你认为不需要 - 所以我做错了什么？