8

I use the nodejs bcrypt library for better password protection.

I am not sure i understand exactly how to use it, but i got this so far:

//A module containing this login function:

login: function(credentials,req,res) {

    //"credentials" is containing email and password from login form

    var query = 'SELECT password, email FROM users WHERE email = ? LIMIT 1';

    client.query(query,[credentials.email], function(err, results) {

        if (results[0]) {

            //Compare passwords
        if (bcrypt.compareSync(credentials.password, results[0].password)) {

                //Set session data and redirect to restricted area

            }
        }
    });
}

I removed all the error handling here in the example so that its easier to read the code.

1.This works and i am able to login and set the session. But is this all there is to it? Am i missing something?

2.Looks like the salt is prepended to the password when generating hash. Dont I have to save the salt in db?

Any help appreciated

georgesamper
  • 4,989
  • 5
  • 40
  • 59

1 Answers1

6

Yes, this is all there is to it! The salt you generate when encrypting the password originally is used to prevent against rainbow table attacks; you do not need to persist it.

Michelle Tilley
  • 157,729
  • 40
  • 374
  • 311
  • Great. Really nice library. And easy to use – georgesamper May 28 '12 at 00:12
  • Great answer. This post also helped me understand why you do not need to persist the salt. http://stackoverflow.com/questions/277044/do-i-need-to-store-the-salt-with-bcrypt – emilebaizel Jun 04 '12 at 19:04
  • 1
    Beware: As the accepted answer of the question linked by @emilebaizel points out, the salt is stored as part of the resulting hash. The number of rounds used is also part of the hash, resulting in a single hash that has ALL the information the "checker" code needs. – Darkhogg Apr 01 '13 at 21:19