39

我想bcrypt用来散列密码,然后验证提供的密码是否正确。

散列密码很容易:

import bcrypt

password = u'foobar'
password_hashed = bcrypt.hashpw(password, bcrypt.gensalt())

# then store password_hashed in a database

如何将纯文本密码与存储的哈希进行比较?

4

5 回答 5

67

使用 py-bcrypt,您不需要单独存储盐:bcrypt将盐存储在哈希中。

您可以简单地将散列用作盐,盐存储在散列的开头。

>>> import bcrypt
>>> salt = bcrypt.gensalt()
>>> hashed = bcrypt.hashpw('secret', salt)
>>> hashed.find(salt)
0
>>> hashed == bcrypt.hashpw('secret', hashed)
True
>>>
于 2012-10-21T19:11:06.870 回答
19

文档没有提到存储盐,它说你只需要:

#Initial generation
hashed = bcrypt.hashpw(password, bcrypt.gensalt())
#Store hashed in your db

#Load hashed from the db and check the provided password
if bcrypt.hashpw(password, hashed) == hashed:
    print "It matches"
else:
    print "It does not match"

http://www.mindrot.org/projects/py-bcrypt/

于 2012-05-03T18:56:57.980 回答
6

稍后,假设您有一个用户输入的密码user_pass。您也可以对其进行散列,然后将散列与存储的散列进行比较,如果它们匹配,则原始密码也匹配。

请注意,bcrypt 会自动将盐值存储为哈希密码的一部分,以便您在对未来输入进行哈希处理时也可以使用它。

第一次围观:

import bcrypt

password = u'foobar'
salt = bcrypt.gensalt()
password_hashed = bcrypt.hashpw(password, salt)

# store 'password_hashed' in a database of your choosing

后来的时间:

import bcrypt
password = something_that_gets_input()

stored_hash = something_that_gets_this_from_the_db()

if bcrypt.hashpw(password, stored_hash) == stored_hash:
    # password matches
于 2012-03-04T22:47:06.093 回答
4

我不熟悉 Python,但我认为您可以使用:
public static boolean checkpw(java.lang.String plaintext, java.lang.String hashed)

# Check that an unencrypted password matches one that has  
# previously been hashed.
if bcrypt.checkpw(plaintext, hashed):
    print "It matches"
else:
    print "It does not match"
于 2014-05-17T10:11:13.853 回答
0

我认为这个会更好:

for i in range(len(rserver.keys())):
    salt = bcrypt.gensalt(12)
    
    mdp_hash = rserver.get(rserver.keys()[i])
    rserver.set(rserver.keys()[i], bcrypt.hashpw(mdp_hash.encode(),bcrypt.gensalt(12) ))

    rsalt.set(rserver.keys()[i], salt)
于 2021-02-14T13:56:52.633 回答