dick
04/25/2022, 10:49 AMhash()
with an application and a per-user salt to generate passwords. With a new app I'm working on, I'm looking at bcrypt but from what I've read it doesn't have the concept of an application and per-user salt. Is adding an application-wide workfactor enough? Should I also top-and-tail the password with the two salts as I've done in the past?wil-shiftinsert
04/25/2022, 12:22 PM$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
\__/\/ \____________________/\_____________________________/
Alg Cost Salt Hash
dick
04/25/2022, 12:26 PMbcrypt( applicationSalt & password & userSalt, workfactor )
then, you'd just bcrypt( password, workfactor )
and that would be considered safe?wil-shiftinsert
04/25/2022, 12:42 PMdick
04/25/2022, 12:57 PMwil-shiftinsert
04/25/2022, 1:00 PMstring function hashPassword(
required string password,
workFactor=variables.settings.workFactor,
salt =generateSalt( arguments.workFactor )
){
As you can see the workfactor is read from some settings here, and the salt is generated on the fly by calling the underlying java bcrypt.genSalt(workfactor) method.
So in most cases you will be fine by just calling the hasPassword function with password argument only.dick
04/25/2022, 1:58 PMhashPassword()
and saw that salt
has to be an int
like workFactor
so it couldn't take my user salt.
string function generateSalt( workFactor=variables.settings.workFactor ){
return variables.bcrypt.genSalt( javaCast( "int", arguments.workFactor ) );
}
wil-shiftinsert
04/25/2022, 1:59 PMvariables.bcrypt.genSalt( javaCast( "int", arguments.workFactor ) )
it to see if it is a number. genSalt is passing a number to the bcrypt library to determine the number of iterations, but I think it is generating a string.dick
04/25/2022, 2:16 PMgenerateSalt()
does return a string but I can't hashPassword( password='myUserPassword', salt='myUserSalt' )
because I get back _"Invalid salt version_"wil-shiftinsert
04/25/2022, 2:20 PMdick
04/25/2022, 4:23 PMhash()
that I'm trying to apply this to bcrypt. Maybe I should relax and drop the application and user salt from my app.
Thanks for your insight.bdw429s
04/25/2022, 5:08 PMdick
04/26/2022, 9:27 AMJochem
04/28/2022, 5:41 PMdick
04/29/2022, 8:20 AM