doubi4814 2015-01-17 20:42
浏览 32
已采纳

存储加密/兰特生成的字符串问题

So I have the following go file(s) as part of my project to be used for hashing passwords, I also wrote some tests that to my knowledge have yet to fail.

Currently the issue is that I am trying to store the password and salt in some database as strings, and every time I retrieve them to be compared against a another string I keep getting the message in the picture from golang's bcrypt package. The tests I wrote are running fine and produce the appropriate effect. I would have supplied a go playground link but bcrypt package is part of the standard library.

I know the gibberish from crypto/rand is pretty much the same from the initial look but I am not sure if there is anything being changed on the database. I am using redis fyi.

Edit: based on the request of @3of3, I am including the DAO code from my project. Also the bcrypt only solution worked with this code but as I stated in the comments, I am aiming to stick to Mozilla's guide.

enter image description here

  • 写回答

2条回答 默认 最新

  • dsnrixf6765 2015-01-18 15:30
    关注

    The salt does not roundtrip through the JSON encode / decode because the salt is not valid UTF8.

    There are a few ways to fix the problem:

    • Hex or base64 encode / decode the salt in hasher.
    • Use the []byte type for salt throughout the code. The JSON encoder encodes []byte values using base64.
    • Use the gob encoder instead of the JSON encoder.

    Mozilla recommends storing the extra salt separate from the bcrypted password. By storing the extra salt with the bcrypted password, the system is no more secure than using bcrypt alone.

    To hex encode the salt, change 

    return string(p), string(salt), nil

    to

    return string(p), hex.EncodeToString(salt), nil

    and change 

        s := []byte(salt)

    to

        s, err := hex.DecodeString(salt)
    if err != nil {
       return err
    }
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥60 pb数据库修改或者求完整pb库存系统,需为pb自带数据库
  • ¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗?
  • ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
  • ¥20 神经网络Sequential name=sequential, built=False
  • ¥16 Qphython 用xlrd读取excel报错
  • ¥15 单片机学习顺序问题!!
  • ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上
  • ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)
  • ¥15 相敏解调 matlab
  • ¥15 求lingo代码和思路