问题
I'm trying to configure Bcrypt for a node app that I'm making and have several questions about salts that I hope someone here can help kindly answer.
What is a salt 'round'? For example, in the github docs (https://github.com/kelektiv/node.bcrypt.js/) it uses a salt round of 10. What does that mean exactly?
Is the salt generated by Bcrypt always the same? For example, if I am saving user's hashed passwords to a DB, is the salt that it used to hash the password the same for every password?
How is the salt stored? Is it secure from potential attacks?
回答1:
- With "salt round" they actually mean the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are done. Increasing the cost factor by 1 doubles the necessary time. The more time is necessary, the more difficult is brute-forcing.
- The salt is a random value, and should differ for each calculation, so the result should hardly ever be the same, even for equal passwords.
- The salt is usually included in the resulting hash-string in readable form. So with storing the hash-string you also store the salt. Have a look at this answer for more details.
来源:https://stackoverflow.com/questions/46693430/what-are-salt-rounds-and-how-are-salts-stored-in-bcrypt