3

I've worked with a number of different hashing algorithms in the past and I was under the impression that they were all deterministic.

I just switched some of my code to use BCrypt.Net and I have to admit I was completely stumped when all of my comparison tests failed.

After looking for errors in my test for an embarrassing amount of time I realized that my assumption that the hashes are deterministic was completely incorrect. There is a verify method which works and it was easy enough to fix the code but I'd like to understand what is going on a little bit better.

Is it salting the values internally or is something else going on?

enter image description here

  • Please note I am salting this in my real code - this is just a test
Kelly Robins
  • 7,168
  • 6
  • 43
  • 66
  • Did you already take a look at the documentation or even the source code? I’m pretty sure it explains what `HashPassword` does internally. – Gumbo Oct 03 '15 at 12:49

1 Answers1

9

Is it salting the values internally

Yep. bcrypt is more than a raw hash function, it includes the salt and a few other bits to allow the hash to be validated without extra input:

$2a$12$q6r.MpvzPrUszrWLgaRdlOs04kPcjk0syCDelrzES9O8.UNlHON.u
 ^^ ^^ ^^^^^^^^^^^^^^^^^^^^^^
 |  |  \- salt
 |  \---- work factor
 \------- format

The API you're using doesn't expose it as you don't generally need to manipulate the salt, but it's there and you don't need to add your own.

bobince
  • 528,062
  • 107
  • 651
  • 834