bcrypt

Do I need to store the salt with bcrypt?

by

bCrypt’s javadoc has this code for how to encrypt a password: String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); To check whether a plaintext password matches one that has been hashed previously, use the checkpw method: if (BCrypt.checkpw(candidate_password, stored_hash)) System.out.println(“It matches”); else System.out.println(“It does not match”); These code snippets imply to me that the randomly generated salt is … Read more

Unable to install gem – Failed to build gem native extension – cannot load such file — mkmf (LoadError)

by

Ruby 1.9.3 The part of Gemfile #…………… gem “pony” gem “bcrypt-ruby”, :require => “bcrypt” gem “nokogiri” #……………… When I’m trying to install gems, I get an error alex@ubuntu:~/$ bundle Fetching gem metadata from http://rubygems.org/……… Fetching gem metadata from http://rubygems.org/.. Enter your password to install the bundled RubyGems to your system: #####…………………………………………………… Installing bcrypt-ruby (3.0.1) with … Read more

What column type/length should I use for storing a Bcrypt hashed password in a Database?

by

I want to store a hashed password (using BCrypt) in a database. What would be a good type for this, and which would be the correct length? Are passwords hashed with BCrypt always of same length? EDIT Example hash: $2a$10$KssILxWNR6k62B7yiX0GAe2Q7wwHlrzhF3LqtVvpyvHZf0MwvNfVu After hashing some passwords, it seems that BCrypt always generates 60 character hashes. EDIT 2 … Read more

How can bcrypt have built-in salts?

by

Coda Hale’s article “How To Safely Store a Password” claims that: bcrypt has salts built-in to prevent rainbow table attacks. He cites this paper, which says that in OpenBSD’s implementation of bcrypt: OpenBSD generates the 128-bit bcrypt salt from an arcfour (arc4random(3)) key stream, seeded with random data the kernel collects from device timings. I … Read more

How do you use bcrypt for hashing passwords in PHP?

by

Every now and then I hear the advice “Use bcrypt for storing passwords in PHP, bcrypt rules”. But what is bcrypt? PHP doesn’t offer any such functions, Wikipedia babbles about a file-encryption utility and Web searches just reveal a few implementations of Blowfish in different languages. Now Blowfish is also available in PHP via mcrypt, … Read more