0

I am using .NET Bcrypt hash implementation from third party library and it has method that create hash simply providing text or password like below.

Bcrypt.HashPassword("password")

I know that generated hash contains salt information but it doesn't get salt parameter while creating hash.

Bcrypt create random salt internally and use it ?

It can cause security weakness if i don't use salt overloaded method ?

Freshblood
  • 6,285
  • 10
  • 59
  • 96

1 Answers1

0

From a theoretical standpoint, you should be doing the following, where P is the given password:

  1. Generate a cryptographically-strong random salt S.
  2. Compute H = Hash(S + P), where Hash is a cryptographically-strong hashing algorithm.
  3. Store S and H in your database for the current user.

At authentication time, given candidate password P' for someone claiming to be that same user, validate the user if and only if H == Hash(S + P').

Does Bcrypt create random salt internally and use it?

The salt is not something it should be creating only internally. It should be giving you the salt to store with the hashed salt + password.

It can cause security weakness if i don't use salt overloaded method?

Yes.

Timothy Shields
  • 75,459
  • 18
  • 120
  • 173
  • 4
    You look right theoretically but you miss some details about Bcrypt. Bcrypt can verify hash and text without need extra salt parameter because hash string already contains salt information. Check this question's answer http://stackoverflow.com/questions/5393803/can-someone-explain-how-bcrypt-verifies-a-hash . So no need to save salt in somewhere. – Freshblood Apr 13 '14 at 03:46
  • @Freshblood Ah, I didn't know the details of the Bcrypt library. So basically what they're calling the hash is really just the concatenation of the salt and the hash (or something like that). I'll leave this answer here anyway, even though there's probably a better one that explains that behavior of Bcrypt. – Timothy Shields Apr 13 '14 at 04:00