Is there a need to store bcrypt salt?

420    Asked by alexGONZALEZ in SQL Server , Asked on Jan 6, 2022

 I'm confused with bcrypt, I would think I would need to store my salt, and then compare my plain text password + salt to the hashed password, however from documentation it does not look like storing the salt is necessary at all. Indeed I used this code to create salt and hashed password: let salt = await bcrypt.genSalt(10);

  const saltpasshash = await new Promise((resolve, reject) => {
    bcrypt.hash(plain_text_password, salt, function(err, hash) {
      if (err) reject(err)
      resolve(hash)
    });
  })

  //NOTE I SAVE saltpasshash as users pass and the salt in a separate field in the users table. This works, what I am confused about is, will it return a valid result if I compare it as follows: valid = await bcrypt.compare(plain_text_password, user.saltpasshash); I'm confused as to why this would be valid when I am not providing the salt, and if so, what's the need to store the salt at all?


Answered by Amit verma

From a description of bcrypt at Wikipedia: ... The rest of the hash string includes the cost parameter, a 128-bit salt (Radix-64 encoded as 22 characters), and 184 bits of the resulting hash value (Radix-64 encoded as 31 characters) Thus, the bcrypt salt is automatically included in the output string which means there is no need to add it by yourself.



Your Answer

Interviews

Parent Categories