Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does node.bcrypt.js compare hashed and plaintext passwords without the salt?

Tags:

node.js

bcrypt

From github:

To hash a password:

var bcrypt = require('bcrypt'); bcrypt.genSalt(10, function(err, salt) {     bcrypt.hash("B4c0/\/", salt, function(err, hash) {         // Store hash in your password DB.     }); }); 

To check a password:

// Load hash from your password DB. bcrypt.compare("B4c0/\/", hash, function(err, res) {     // res == true }); bcrypt.compare("not_bacon", hash, function(err, res) {     // res = false }); 

From above, how can there be no salt values involved in the comparisons? What am I missing here?

like image 328
SChang Avatar asked Oct 23 '12 03:10

SChang


People also ask

How does bcrypt compare without the salt?

You provide the salt when you encrypt and this gets incorporated into the hash. bcrypt will only be able to decrypt data that was originally encrypted using bcrypt, otherwise, you're right - there would be no way for it to know which part is the hash and which part is the salt.

How does node JS compare with bcrypt password?

Check A User Entered Password const bcrypt = require("bcryptjs") const passwordEnteredByUser = "mypass123" const hash = "YOUR_HASH_STRING" bcrypt. compare(passwordEnteredByUser, hash, function(err, isMatch) { if (err) { throw err } else if (! isMatch) { console. log("Password doesn't match!") } else { console.

Does bcrypt compare use salt?

Bcrypt is a popular and trusted method for salt and hashing passwords. You have learned how to use bcrypt's NodeJS library to salt and hash a password before storing it in a database.

Does bcrypt automatically salt?

Another benefit of bcrypt is that it requires a salt by default. Let's take a deeper look at how this hashing function works!


2 Answers

The salt is incorporated into the hash (as plaintext). The compare function simply pulls the salt out of the hash and then uses it to hash the password and perform the comparison.

like image 64
Bill Avatar answered Oct 11 '22 19:10

Bill


I had the same question too as the original poster and it took a look bit of looking around and trying different things to understand the mechanism. As has already been pointed out by others, the salt is concatenated to the final hash. So this means a couple of things:

  1. The algorithm must know the length of the salt
  2. Must also know the position of the salt in the final string. e.g. if offset by a specific number from left or right.

These two things are usually hard coded in the implementation e.g. the bcrypt implementation source for bcryptjs defines the salt length as 16

/** * @type {number} * @const * @private */  var BCRYPT_SALT_LEN = 16; 

So to illustrate the basic concept behind the idea if one wanted to do it manually, It would look similar to the below. I do not recommend implementing stuff like this yourself when there are libraries that you can get to do it.

var salt_length = 16; var salt_offset = 0;  var genSalt = function(callback) {     var alphaNum = '0123456789abcdefghijklmnopqurstuvwxyzABCDEFGHIJKLMNOPQURSTUVWXYZ';     var salt = '';     for (var i = 0; i < salt_length; i++) {         var j = Math.floor(Math.random() * alphaNum.length);         salt += alphaNum[j];     }     callback(salt); }  // cryptographic hash function of your choice e.g. shar2 // preferably included from an External Library (dont reinvent the wheel) var shar2 = function(str) {     // shar2 logic here      // return hashed string; }  var hash = function(passwordText, callback) {     var passwordHash = null;     genSalt(function(salt){         passwordHash = salt + shar2(passwordText + salt);     });      callback(null, passwordHash); }  var compare = function(passwordText, passwordHash, callback) {     var salt = passwordHash.substr(salt_offset, salt_length);     validatedHash = salt + shar2(passwordText + salt);      callback(passwordHash === validatedHash);    }  // sample usage var encryptPassword = function(user) {     // user is an object with fields like username, pass, email     hash(user.pass, function(err, passwordHash){         // use the hashed password here         user.pass = passwordHash;     });      return user; }  var checkPassword = function(passwordText, user) {     // user has been returned from database with a hashed password     compare(passwordText, user.pass, function(result){         // result will be true if the two are equal         if (result){             // succeeded             console.log('Correct Password');         }         else {             // failed             console.log('Incorrect Password');         }     }); } 
like image 27
Alappin Avatar answered Oct 11 '22 20:10

Alappin