Is there a need to store bcrypt salt?

420    Asked by alexGONZALEZ in SQL Server , Asked on Jan 6, 2022

 I'm confused with bcrypt, I would think I would need to store my salt, and then compare my plain text password + salt to the hashed password, however from documentation it does not look like storing the salt is necessary at all. Indeed I used this code to create salt and hashed password: let salt = await bcrypt.genSalt(10);

  const saltpasshash = await new Promise((resolve, reject) => {
    bcrypt.hash(plain_text_password, salt, function(err, hash) {
      if (err) reject(err)

  //NOTE I SAVE saltpasshash as users pass and the salt in a separate field in the users table. This works, what I am confused about is, will it return a valid result if I compare it as follows: valid = await, user.saltpasshash); I'm confused as to why this would be valid when I am not providing the salt, and if so, what's the need to store the salt at all?

Answered by Amit verma

From a description of bcrypt at Wikipedia: ... The rest of the hash string includes the cost parameter, a 128-bit salt (Radix-64 encoded as 22 characters), and 184 bits of the resulting hash value (Radix-64 encoded as 31 characters) Thus, the bcrypt salt is automatically included in the output string which means there is no need to add it by yourself.

Your Answer


Parent Categories