xgqfrms™, xgqfrms® : xgqfrms's offical website of cnblogs! xgqfrms™, xgqfrms® : xgqfrms's offical website of GitHub!

npm package bcrypt compare function no need salt question All In One

npm package bcrypt compare function no need salt question All In One

Why bcrypt.compare function no need to use salt, when compare with origin password?

https://github.com/kelektiv/node.bcrypt.js/discussions/972

salt default 10

https://github.com/kelektiv/node.bcrypt.js/issues/963#issuecomment-1272338945

jwt signature

https://github.com/kelektiv/node.bcrypt.js/issues/935#issuecomment-1159411386

Per bcrypt implementation, only the first 72 bytes of a string are used.
Any extra bytes are ignored when matching passwords.

Note that this is not the first 72 characters.
It is possible for a string to contain less than 72 characters, while taking up more than 72 bytes
(e.g. a UTF-8 encoded string containing emojis).

image

demo

{
  "dependencies": {
    "bcrypt": "3.0.6",
  }
}

Why bcrypt.compare function no need to use salt, when compare with origin password?

// hash-salt-test.js
const bcrypt = require('bcrypt');

const hash = async function (password, salt = 10) {
  // 默认值 10
  console.log(`❓salt =`, salt);
  const hashed = await bcrypt.hash(password, salt);
  return hashed;
}

const check = async function (password, hashed) {
  const result = await bcrypt.compare(password, hashed);
  return result;
}

const test = async function (salt = 10) {
  // password length is 10 ✅, less than 72 bytes ❓
  const pwd = 'pwd1234567';
  const hashed = await hash(pwd, salt);
  const result = await check(pwd, hashed);
  console.log(`\nhash with salt`, hashed);
  console.log(`result =`, result);
}

test();
test(5);
test(11);
test(15);
test(17);

/*

 $ node ./hash-salt-test.js

❓salt = 10
❓salt = 5
❓salt = 11
❓salt = 15
❓salt = 17

hash with salt $2b$05$.zICWxt0wAjGb58kIN6GwekMtP5jUeYD34/wqfE17yYqZ3rO43RV.
result = true

hash with salt $2b$10$PPJdjtaboGieRgk1p86bsuCHIqmiFhqaRGwHrpVs5/dZ3ZLC8b33m
result = true

hash with salt $2b$11$Y.Ozy9S5gtZUR1XD3egrGeZ1H8HmPOUqBDochpGM5pLCIP2tk38Xa
result = true

hash with salt $2b$15$UBGFkZRAxGgMMTaRDmxJ1eTgCBM.ovvESEyJJwrGeIpk/Vw3NPFkC
result = true

hash with salt $2b$17$zyjemy4KDsQDO8Q2kCgYeeW/FsG3kiWp0hXl4t.o8GUWrWjA4.R.S
result = true

*/

image

https://www.npmjs.com/package/bcrypt

https://github.com/kelektiv/node.bcrypt.js

https://github.com/nodejs/node-gyp

https://en.wikipedia.org/wiki/Bcrypt

js get string bytes length



// js get string bytes length ✅

(() => {
  const len = unescape(encodeURIComponent(`pwd1234567`)).length;
  console.log(`bytes =`, len);
  // 10
})();
// The signature '(string: string): string' of 'unescape' is deprecated.ts(6387)

(() => {
  const len = new TextEncoder().encode(`pwd1234567`).length;
  console.log(`bytes =`, len);
  // 10
})();

// (() => {
//   let size = new Blob(['pwd1234567']).size;
//   console.log(`bytes =`, size);
//   // 10
// })();
// Node.js v16 ❌ ReferenceError: Blob is not defined
// @since — v18.0.0
// https://nodejs.org/api/buffer.html#class-blob

(() => {
  const bytes = Buffer.byteLength(`pwd1234567`, 'utf8');
  console.log(`UTF-8 bytes =`, bytes);
  // 10
})();

(() => {
  const bytes = Buffer.byteLength(`pwd1234567`, 'utf16');
  console.log(`UTF-16 bytes =`, bytes);
  // 10
})();


https://www.cloudhadoop.com/string-size-bytes-javascript/

https://www.geeksforgeeks.org/how-to-get-the-length-of-a-string-in-bytes-in-javascript/

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/length

JWT

JWT Handbook pdf download

https://cdn.xgqfrms.xyz/Handbook/JWT/jwt-handbook-v0_14_1.pdf

https://cdn.xgqfrms.xyz/Handbook/JWT/jwt-handbook-v0_14_1.epub

https://cdn.xgqfrms.xyz/Handbook/JWT/jwt-handbook-v0_14_1.mobi


https://www.cnblogs.com/xgqfrms/p/9712897.html#5132442

https://www.monterail.com/blog/more-secure-passwords-bcrypt

how to get a SHA-256 bit secret in a Linux terminal

https://man7.org/linux/man-pages/man1/sha256sum.1.html

https://www.computerhope.com/unix/sha256sum.htm

zsh: command not found: sha256sum

$ sha256sum jwt_token.md 
zsh: command not found: sha256sum

$ brew install coreutils
Running `brew update --auto-update`...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> New Formulae
brpc                       ghc@9.2                    seven-kingdoms
cocogitto                  ibazel                     sql-language-server
gf                         jscpd

You have 1 outdated formula installed.
You can upgrade it with brew upgrade
or list it with brew outdated.

==> Downloading https://ghcr.io/v2/homebrew/core/gmp/manifests/6.2.1_1
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/gmp/blobs/sha256:4c6488dfd53b82
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sh
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/coreutils/manifests/9.1
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/coreutils/blobs/sha256:45640090
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sh
######################################################################## 100.0%
==> Installing dependencies for coreutils: gmp
==> Installing coreutils dependency: gmp
==> Pouring gmp--6.2.1_1.ventura.bottle.tar.gz
🍺  /usr/local/Cellar/gmp/6.2.1_1: 21 files, 3.3MB
==> Installing coreutils
==> Pouring coreutils--9.1.ventura.bottle.tar.gz
==> Caveats
Commands also provided by macOS and the commands dir, dircolors, vdir have been installed with the prefix "g".
If you need to use these commands with their normal names, you can add a "gnubin" directory to your PATH with:
  PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"
==> Summary
🍺  /usr/local/Cellar/coreutils/9.1: 476 files, 13.5MB
==> Running `brew cleanup coreutils`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
==> Caveats
==> coreutils
Commands also provided by macOS and the commands dir, dircolors, vdir have been installed with the prefix "g".
If you need to use these commands with their normal names, you can add a "gnubin" directory to your PATH with:
  PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"
➜  linux-shell-playground 


$ PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"

https://unix.stackexchange.com/questions/426837/no-sha256sum-in-macos

https://www.baeldung.com/linux/sha-256-from-command-line

https://www.ibm.com/docs/en/imdm/12.0?topic=encryption-generating-aes-keys-password

blogs

https://www.monterail.com/blog/more-secure-passwords-bcrypt

https://codahale.com/how-to-safely-store-a-password/

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

https://github.com/OWASP/CheatSheetSeries

https://github.com/web-full-stack/CheatSheetSeries/tree/master/cheatsheets

https://github.com/web-full-stack/CheatSheetSeries/issues/1

(🐞 反爬虫测试!打击盗版⚠️)如果你看到这个信息, 说明这是一篇剽窃的文章,请访问 https://www.cnblogs.com/xgqfrms/ 查看原创文章!

refs

https://www.cnblogs.com/xgqfrms/p/9712897.html#5132441

https://www.cnblogs.com/xgqfrms/p/9712897.html#5132442

©xgqfrms 2012-2021

www.cnblogs.com/xgqfrms 发布文章使用:只允许注册用户才可以访问!

原创文章,版权所有©️xgqfrms, 禁止转载 🈲️,侵权必究⚠️!

posted @ 2022-12-09 21:13  xgqfrms  阅读(138)  评论(2编辑  收藏  举报