I'm trying to use Spring's BCrypt implementation. I noticed the checkpw() method takes 2 arguments: the plaintext password and the hash. How is the method able to verify this without the salt being included?
Asked
Active
Viewed 1,457 times
0
user2066880
- 4,825
- 9
- 38
- 64
-
Why don't you use `BCryptPasswordEncoder` class instead? P.S. See [this question too](http://stackoverflow.com/questions/277044/do-i-need-to-store-the-salt-with-bcrypt?rq=1). – Branislav Lazic Sep 25 '14 at 23:54
-
Just adding on further the main question is what are you trying to achieve with checkpw() functionality? Furthermore Branislav has pointed out a good answer for a similar question. – Aeseir Sep 26 '14 at 01:28
1 Answers
4
It can verify and it's not magical - the BCrypt encoded hash contains the salt. You can store the salt in a variable to inspect it:
String salt = BCrypt.gensalt();
String pw_hash = BCrypt.hashpw(plain_password, salt);
System.out.println(salt);
System.out.println(pw_hash);
qingbo
- 2,130
- 16
- 19