javascript - Bcrypt not that secure at hashing passwords? -


i using bcrypt generate salts , hash passwords, not think doing securely. when use following code:

bcrypt.gensalt(10, function(err, salt) {   user.salt = salt;   bcrypt.hash(password, salt, function(err, hash) {     user.hashed_password = hash;     console.log(user.salt);     console.log(user.hashed_password);     user.save(function(err) {       if (err) console.log(err);       console.log("saved");     });   }); });

in 1 example, salt is: $2a$10$mffjrpy1vrq7fy1ffp0fmo , hashed_password is: $2a$10$mffjrpy1vrq7fy1ffp0fmovnlv9ckgafdcq5xdtlp6uokz90i1fmu

the beginning of hashed password exact same salt. if attacker has access salt, can't remove salt hashed_password , either brute force or use table of predetermined hashed values determine password?

i thought should order of hashing password:

hash(salt + password)

not:

salt + hash(password)

the beginning of hashed password salt because need access salt in order verify password.

the data see neither hash (salt + password) nor salt + hash(password) -- of form

salt + hash(salt + password)

if attacker gains access data, then:

  • they can of course (theoretically) brute force password -- no technique can prevent this, rate limiting renders attack impractical. hash function used in instance designed take long time run, indirectly rate limiting attack.
  • they cannot use standard table of hashes find out password -- that's because hashed value contains unique salt. of course salt out there in clear table can calculated, since salt unique each hashed password no better brute force attack.

Comments

Post a Comment

Popular posts from this blog

php - Calling a template part from a post -

i include iframe within post in wordpress. located inside content of post, meaning cannot in post template file, otherwise either before or after. i'd add facebook plugin within posts: <div id="socialwrap"><div class="fb-like" data-href="http://onlinearizonahomes.info" data-send="true" data-width="450" data-show-faces="true" data-font="arial"></div></div> i thinking of calling template part within post <?php get_template_part( 'social' ); ?> cannot use php within post without plugin (i'd avoid using plugin this). an alternative using javascript create html in post, seems unnecessary use of javascript. what best way add html within wordpress post? you can use shortcode. add functions.php function cudjex_fbshare( $atts, $content = null ) { global $post; $link = get_permalink($post->id); return '<div id="socialwrap...
Read more

Firefox SVG shape not printing when it has stroke -

Image
i having issue svg shapes have stroke , trying them print in firefox. this simplest example: <svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink"> <rect x="0" y="0" rx="15" ry="15" width="300" height="400" style="stroke:black;stroke-width:5;" fill="black" /> <circle id="firstcircle" cx="50" cy="50" r="30" stroke="black" stroke-width="2" fill="white" style="opacity:0.75;"/> <circle id="secondcircle" cx="50" cy="150" r="30" fill="white" style="opacity:0.75;"/> </svg> when try , print first shape 1 of 2 things: it not show @ all it shows off center in bounding box. the second shape no stroke shows expected, expected. when displaying on scre...
Read more

How to mention the localhost in android -

i trying call localhost in android application. unfortunately not possible used several methods emulator local host http://10.0.2.2/android/dbconnection.php and network ip address http://192.168.1.xx/android/dbconnection.php also http://localhost:8080/android/dbconnection.php but nothing connected localhost. purpose refer stackoverflow answers not working i facing same problem when worked on localhost. referred stackoverflow answer got solution create new emulator works fine in new emulator.
Read more