Menu
I was always using MD5 for encrypting passwords, but I read that it's should no more be used, and instead use bcrypt..
I'm using zendframework 2 , where I found it describing bcrypt configurations as follows:
$bcrypt = new Bcrypt(array(
'salt' => 'random value',
'cost' => 11
));
what is the salt and what is the cost ? and how could them be used?
614
From a description of bcrypt at Wikipedia: ... The rest of the hash string includes the cost parameter, a 128-bit salt (Radix-64 encoded as 22 characters), and 184 bits of the resulting hash value (Radix-64 encoded as 31 characters). So the salt is automatically included in the output string which means there is no need to add it by yourself.
How to salt and hash a password using bcrypt. 1 Step 0: First, install the bcrypt library. $ npm i bcrypt. Now let's look at the code. 2 Step 1: Include the bcrypt module. 3 Step 2: Set a value for saltRounds. 4 Step 3: Declare a password variable. 5 Step 4: Generate a salt. More items
Version: 2y Cost: 12 Strength (another name for cost): 12 Password: PEmxrth.vjPDazPWQcLs6u9GRFLJvneUkcf/vcXn8L.bzaBUKeX4W Salt: PEmxrth.vjPDazPWQcLs6u Hash: 9GRFLJvneUkcf/vcXn8L.bzaBUKeX4W The original bcrypt specification defined a prefix of $2$.
During operation, input ciphertext or plaintext is encrypted or decrypted. Key setup only needs to be conducted once for each key that is used" bcrypt runs in two phases: A function called EksBlowfishSetup is setup using the desired cost, the salt, and the password to initialize the state of eksblowfish.
A salt is random text added to the string to be hashed. For example, you don't hash my_secret_password; you hash something like 1jfSLKe$*@SL$#)(Sslkfs$34:my_secret_password. The reason for this is that it makes it hard to set up a "rainbow table" to brute-force the passwords, even if the entire database of hashed passwords is stolen. If every password has a different salt, only the very weakest passwords (like "password" or "123456", which you should prohibit anyway) will be guessed.
A cost is a measure of how many times to run the hash -- how slow it is. You want it to be slow. Again, this is a redundant layer of security for if the hashed passwords are stolen. It makes it prohibitively expensive to brute-force anything.
You can read a good description here: https://security.stackexchange.com/a/51983/35405
185
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
