Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are bcrypt salts accessible separately?

When using has_secure_password in Rails 3.1, bcrypt randomly generates a salt for each user's password. Based on this response, I understand the salt is stored as part of the password hash. Is there a method or attribute available to access that salt separately, for example to use in writing secure cookies?

like image 790
joanwolk Avatar asked May 31 '11 10:05

joanwolk


1 Answers

You'll be able to get the salt and checksum if you need it.

gem install bcrypt-ruby
irb
require 'bcrypt'

hash = BCrypt::Password.create 'superpass'
=> "$2a$10$DtjuZD6nJtrBRLEySlSVm.bJyBMhEhVRAeiVk/GjmQdBNf7WhmDWi"
hash.salt
=> "$2a$10$DtjuZD6nJtrBRLEySlSVm."
hash.checksum
"bJyBMhEhVRAeiVk/GjmQdBNf7WhmDWi"
hash == "starbucks"
=> false
hash == "superpass"
=> true

Your salt and checksum will vary.

More info: https://github.com/codahale/bcrypt-ruby

like image 120
Jesse Wolgamott Avatar answered Oct 06 '22 00:10

Jesse Wolgamott