I would like to use node.js bcrypt to hash passwords before storing them in the database.
This link provides the documentation. https://github.com/kelektiv/node.bcrypt.js
Here is an example on hashing the password.
var bcrypt = require('bcrypt');
const saltRounds = 10;
const myPlaintextPassword = 's0/\/\P4$$w0rD';
var salt = bcrypt.genSaltSync(saltRounds);
var hash = bcrypt.hashSync(myPlaintextPassword, salt);
// Store hash in your password DB.
Here is the code to check the password.
// Load hash from your password DB.
bcrypt.compareSync(myPlaintextPassword, hash); // true
This is what I don't understand. In bcrypt.compareSync
, why is there no parameter salt
? Since the hash is generated from salt, why does comparing the plaintext password not involve the original salt used in hashing?
Bcrypt is a popular and trusted method for salt and hashing passwords. You have learned how to use bcrypt's NodeJS library to salt and hash a password before storing it in a database.
Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
It needs to be stored somewhere so that it's repeatable: when a user tries to log in, we take their password attempt, repeat the same salt-and-hash procedure we did when we originally stored their password, and compare.
With "salt round" they actually mean the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are done. Increasing the cost factor by 1 doubles the necessary time.
The salt is part of the string bcrypt stores in the database, see for instance the answer on Do I need to store the salt with bcrypt?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With