Is it possible to specify which salt is used when encrypting strings with ruby-bcrypt?
I know it's not very safe, but I only use it for not-high security data: I have a plattform, and when a user deletes his account, i still want to know if this user was registered with this email before (due to free credits on registration).
So I thought I will encrypt the email with Bcrypt (before deletion) and later I can query afterwards if this hash exists when the user wants to register again with this email address?
But now i realized that bcrypt always procudes a new salt... Can I specify the salt somehow?
Thanks,
DISCLAIMER/ATTENTION:
IN GENERAL YOU SHOULD NEVER SPECIFY SALTS DIRECTLY - ITS INSECURE!!!
You could use BCrypt::Password.create, passing it the email, to generate those hashes along with a unique salt.
2.0.0-p195 :003 > hashed_email = BCrypt::Password.create 'joe@test.com'
=> "$2a$10$vX2tl3omW9h4k66XC7/BwOFH0n7EqtH4PJATPa7YVSeJh7TEpt/bK"
2.0.0-p195 :004 > hashed_email = BCrypt::Password.create 'joe@test.com'
=> "$2a$10$RdQIHtz.L5To1F1XRK//..h6nHYdQ3uJ2PTgB58e3xufoqgZGqbO6"
2.0.0-p195 :005 > hashed_email = BCrypt::Password.create 'joe@test.com'
=> "$2a$10$bTFVXO/d0/sf6SxzCcRMU.zBPcR5yjI6ID6O9J2eXKbqim/jPM3PC"
2.0.0-p195 :006 > hashed_email = BCrypt::Password.create 'joe@test.com'
=> "$2a$10$gbXU4UEiHTC0HCnD672Dm.TeBhZeCa6sBiX8Pk50KSXcprDJnEYA."
Now you don't have to worry about using a fixed salt as BCrypt has already stored it with the hash for you.
But what I guess you've identified is that it means that there will be a processing cost associated with the comparison later though as you can't just do a 'SELECT user WHERE email_hash = hash'...
If you absolutely want to use a fixed salt, you can.
salt = BCrypt::Engine.generate_salt
hash = BCrypt::Engine.hash_secret 'hello', salt
(Just store that salt string somewhere and you can use it later.)