Method Nettle.bcrypt_hash()

Method bcrypt_hash

string(7bit) bcrypt_hash(string(8bit) password, string(7bit) scheme, string(8bit)|void salt, int|void log2rounds)

Description

Low level implementation of the bcrypt password-hashing algorithm.

Parameter password

The cleartext password. Only accepts 8-bit strings. Typically passwords are encoded in UTF-8 NFC, but some platforms may have other conventions.

Parameter scheme

Specifies the scheme to be used to generate the hash. The settings either cleanly specify the scheme of either "2a", "2b", "2x" or "2y", or they contain the (or part of the prefix of) normal hashed password string, so an existing hashed password string may be passed unmodified.

When generating a new hash from scratch, the following minimum needs to be specified, e.g. "$2y$10$1b2lPgo4XumibnJGN3r3sO". In this "$" is the separator, "2y" specifies the used hash-algorithm, "10" specifies 2^10 encryption rounds and "1b2lPgo4XumibnJGN3r3sO" is the salt (16 bytes, base64 encoded). The minimal value for settings would be "$2y$".

Parameter salt

The salt can be supplied as part of settings, or separately as a 16-byte binary string.

Parameter log2rounds

The log2 number of encryption rounds. If unspecified it is taken from the settings string, and if not specified there it defaults to 10 which equals 1024 encryption rounds.

Returns

Returns the (according to the specified algorithm, encryption rounds, and salt) hashed and encoded version of the supplied password. Throws an error on invalid input.

Note

You should normally use Crypto.Password instead.

See also

Crypto.Password, Crypto.BLOWFISH