Jump to content

The ultimate community for Ruby on Rails developers.


Photo

Question about Bcrypt::Password.create


  • Please log in to reply
5 replies to this topic

#1 Rowel

Rowel

    Controller

  • Members
  • 109 posts

Posted 13 September 2013 - 05:37 PM


2.0.0p247 :012 > my_password = BCrypt::Password.create("mypassword")
 => "$2a$10$mZ0zAQfV15MyGREu7DGAs.jvFOdT9nJhJjARiWY5CRU1VHAQ3w1Ma"
2.0.0p247 :013 > my_password = BCrypt::Password.create("mypassword")
 => "$2a$10$X98.1.0RtQ7Vf2AfUdTjBeUKtFkVEXKMz/Fp2BBta7.xVAaSU0F4S"
2.0.0p247 :014 > my_password = BCrypt::Password.create("mypassword")
 => "$2a$10$/g14BI.ZN0Oo8LHvSrC/yumKo3xR.R1ilyFCIgd2LQjn0DV40bI/O"

Bcrypt encrypting the same string "mypassword" results in different answers.  

 

Is this "normal"?  

 

I'm trying to implement a password reset in my App, and need to fill in the password field in my database to a new value.... I'm surprised encrypting the same string gives different results. 

 

Are they all valid? Correct? 



#2 KyleMacey

KyleMacey

    Passenger

  • Members
  • 4 posts
  • LocationRochester, NY

Posted 13 September 2013 - 08:17 PM

It's due to Bcrypt generating a random "salt" to store your password. It's bit better explained here:

 

http://stackoverflow.../6833165/628859


  • Rowel likes this

#3 Ohm

Ohm

    Guard

  • Members
  • 179 posts
  • LocationCopenhagen

Posted 14 September 2013 - 07:41 AM

As Kyle said it's because of the salt added to the password, before hashing it. If you want a hash of the password, without salt being added automatically, try 

>> Digest::MD5.hexdigest("mypassword")
=> "34819d7beeabb9260a5c854bc85b3e44"
>> Digest::MD5.hexdigest("mypassword")
=> "34819d7beeabb9260a5c854bc85b3e44"
>> 

Blog: http://ohm.sh | Twitter: madsohm


#4 Rowel

Rowel

    Controller

  • Members
  • 109 posts

Posted 14 September 2013 - 02:03 PM

Where does the salt come from? Randomly generated for each "run" of bcrypt? Or is that something set globally for the app?



#5 Ohm

Ohm

    Guard

  • Members
  • 179 posts
  • LocationCopenhagen

Posted 15 September 2013 - 12:12 AM

BCrypt on RubyForge shows us that we do indeed have a call for genrate_salt for each run of BCrypt::Password.create

 

http://bcrypt-ruby.r...t/Password.html


  • Rowel likes this

Blog: http://ohm.sh | Twitter: madsohm


#6 KyleMacey

KyleMacey

    Passenger

  • Members
  • 4 posts
  • LocationRochester, NY

Posted 17 September 2013 - 06:39 PM

The generate_salt method looks like this:

# File lib/bcrypt.rb, line 61
61: def self.generate_salt(cost = DEFAULT_COST)
62:   cost = cost.to_i
63:   if cost > 0
64:     if cost < MIN_COST
65:       cost = MIN_COST
66:     end
67:     if RUBY_PLATFORM == "java"
68:       Java.bcrypt_jruby.BCrypt.gensalt(cost)
69:     else
70:       __bc_salt(cost, OpenSSL::Random.random_bytes(MAX_SALT_LENGTH))
71:     end
72:   else
73:     raise Errors::InvalidCost.new("cost must be numeric and > 0")
74:   end
75: end

Line 70 shows that ruby (not jruby) generates a random salt.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users