joanwolk
Reputation: 1105
Are bcrypt salts accessible separately?
When using has_secure_password in Rails 3.1, bcrypt randomly generates a salt for each user's password. Based on this response, I understand the salt is stored as part of the password hash. Is there a method or attribute available to access that salt separately, for example to use in writing secure cookies?
Upvotes: 10
Views: 4621
Answers (1)
Jesse Wolgamott
Reputation: 40277
You'll be able to get the salt and checksum if you need it.
gem install bcrypt-ruby
irb
require 'bcrypt'
hash = BCrypt::Password.create 'superpass'
=> "$2a$10$DtjuZD6nJtrBRLEySlSVm.bJyBMhEhVRAeiVk/GjmQdBNf7WhmDWi"
hash.salt
=> "$2a$10$DtjuZD6nJtrBRLEySlSVm."
hash.checksum
"bJyBMhEhVRAeiVk/GjmQdBNf7WhmDWi"
hash == "starbucks"
=> false
hash == "superpass"
=> true
Your salt and checksum will vary.
More info: https://github.com/codahale/bcrypt-ruby
Upvotes: 15
Related Questions
- How can bcrypt have built-in salts?
- Ruby BCrypt salting/hashing seems ... wrong?
- Ruby-BCrypt: Specify salt
- What has happened to the salt with bcrypt?
- Bcrypt ruby on rails
- Is it really not required to generate salts for bcrypt?
- Using BCrypt in Rails to manually authenticate
- Generating salts with a constant in rails
- Are Rails passwords generated with bcrypt portable?
- Decryptor for bcrypt