问题描述
I want to store a hashed password (using BCrypt) in a database. What would be a good type for this, and which would be the correct length? Are passwords hashed with BCrypt always of same length?
EDIT
Example hash:
$2a$10$KssILxWNR6k62B7yiX0GAe2Q7wwHlrzhF3LqtVvpyvHZf0MwvNfVu
After hashing some passwords, it seems that BCrypt always generates 60 character hashes.
EDIT 2
Sorry for not mentioning the implementation. I am using jBCrypt.
The modular crypt format for bcrypt consists of
$2$
,$2a$
or$2y$
identifying the hashing algorithm and format- a two digit value denoting the cost parameter, followed by
$
- a 53 characters long base-64-encoded value (they use the alphabet
.
,/
,0
–9
,A
–Z
,a
–z
that is different to the standard Base 64 Encoding alphabet) consisting of:- 22 characters of salt (effectively only 128 bits of the 132 decoded bits)
- 31 characters of encrypted output (effectively only 184 bits of the 186 decoded bits)
Thus the total length is 59 or 60 bytes respectively.
As you use the 2a format, you’ll need 60 bytes. And thus for MySQL I’ll recommend to use the CHAR(60) BINARY
or BINARY(60)
(see The _bin and binary Collations for information about the difference).
CHAR
is not binary safe and equality does not depend solely on the byte value but on the actual collation; in the worst case A
is treated as equal to a
. See The _bin
and binary
Collations for more information.
这篇关于我应该使用什么列类型/长度将 Bcrypt 散列密码存储在数据库中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!