Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why isn't salt required to compare whether password is correct in bcrypt?

I would like to use node.js bcrypt to hash passwords before storing them in the database.

This link provides the documentation. https://github.com/kelektiv/node.bcrypt.js

Here is an example on hashing the password.

var bcrypt = require('bcrypt');
const saltRounds = 10;
const myPlaintextPassword = 's0/\/\P4$$w0rD';

var salt = bcrypt.genSaltSync(saltRounds);
var hash = bcrypt.hashSync(myPlaintextPassword, salt);
// Store hash in your password DB.

Here is the code to check the password.

// Load hash from your password DB.
bcrypt.compareSync(myPlaintextPassword, hash); // true

This is what I don't understand. In bcrypt.compareSync, why is there no parameter salt? Since the hash is generated from salt, why does comparing the plaintext password not involve the original salt used in hashing?

like image 804
guagay_wk Avatar asked Jan 10 '17 08:01

guagay_wk


People also ask

Does bcrypt compare use salt?

Bcrypt is a popular and trusted method for salt and hashing passwords. You have learned how to use bcrypt's NodeJS library to salt and hash a password before storing it in a database.

Does bcrypt have salt?

Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

Do I need to store bcrypt salt?

It needs to be stored somewhere so that it's repeatable: when a user tries to log in, we take their password attempt, repeat the same salt-and-hash procedure we did when we originally stored their password, and compare.

What are salt rounds in bcrypt?

With "salt round" they actually mean the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are done. Increasing the cost factor by 1 doubles the necessary time.


1 Answers

The salt is part of the string bcrypt stores in the database, see for instance the answer on Do I need to store the salt with bcrypt?

like image 115
rypskar Avatar answered Oct 23 '22 21:10

rypskar