我发现 Meteor 默认使用 sha-256 来哈希密码。但我很困惑,散列后每个帐户的相同密码变成存储在数据库中的不同字符串。任何人都可以告诉详细的实现,thx
最佳答案
根据 Meteor 文档,accounts-password uses bcrypt .
如果你看loginWithPassword的源代码,您应该能够找出盐的存储位置。作为第二个来源,请阅读 MasterAM 的 answer to Laravel & Meteor password hashing这表明 Meteor 从 2011 年开始使用 $2y$ hash strings, i.e. PHP CRYPT_BLOWFISH ,它使用
CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithmeter and must be in range 04-31, values outside this range will cause crypt() to fail. Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix: PHP 5.3.7 introduced the new prefixes to fix a security weakness in the Blowfish implementation. Please refer to » this document for full details of the security fix, but to summarise, developers targeting only PHP 5.3.7 and later should use "$2y$" in preference to "$2a$".
因此,在数据库中查找 $2y$ 字符串,并从中提取盐。
关于Meteor,为什么散列后相同的密码,不同的字符串存储在数据库中,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35715853/