Closed timgluz closed 8 years ago
Hi @timgluz. Sorry for my late response! I was on my holidays...
For do it, you should see the concrete hasher implementation. In case of bcrypt, buddy-hashers does not use plain bcrypt as is. Instead of it, it combines the bcrypt with sha512 (bcrypt has a limitation of max 72 chars password and for awoid it, the password is firstly hashed).
The salt parameter and salt part of the human readable output is not the salt of the bcrypt. Let see how it is implemented:
(defmethod derive-password :bcrypt+sha512
[{:keys [algorithm password salt iterations] :as pwdparams}]
(let [salt (->byte-array (or salt (nonce/random-bytes 12)))
iterations (or iterations (get *default-iterations* algorithm))
iv (BCrypt/gensalt iterations)
pwd (-> password
(bytes/concat salt)
(hash/sha512)
(bytes->hex)
(BCrypt/hashpw iv)
(str->bytes))]
{:algorithm algorithm
:iterations iterations
:salt salt
:password pwd}))
hashpw
function.If you want to access and verify the password generated by buddy-hashers you should implement something like this in ruby.
Thanks,
i decided not to replicate same logic in ruby - late night hacking is dangerous.
At the morning i got much better idea and i just wrote a new strategy for devise auth-framework.
Hi,
i'm currently trying to make my Rails APP to use same authorization passwords as my Clojure apis are already using.
In ruby, it's possible to use
bcrypt-library
, but it needs salt as plain string otherwise it keeps generating different password each time and makes checking impossible.I thought maybe i can turn Buddy HEX-coded salt into plain string again and feed it into
BCrypt::Engine.hash_secret
, but i cant find out why encoding doesnt work.I tried it similar solution on Clojure REPL and result was same gibberish.
For example, i've this hash in my DB: "bcrypt+sha512$67cc133815dc703a498b7ded$12$...somepassword"
I extracted salt:
67cc133815dc703a498b7ded
and runned this on REPL:(bytes->str (hex->bytes "67cc133815dc703a498b7ded"))
And it returned something like this here "g�8�p:I�}�" .Is there a way to turn this hex presentation into plain UTF8 string again?