Why jbcrypt does not need a salt at comparison

Asked Dec 25 '16 at 08:16

Active Dec 25 '16 at 08:16

Viewed 405 times

I am currently looking for a librarly to store a salted, hashed password in a web app. I came across mindrot's jbcrypt and think it might be the right choice (also see https://security.stackexchange.com/questions/21184/safe-to-use-jbcrypt-and-recommend-it-to-my-organization). However, one thing is puzzling me a little bit about the code. Generally, hashing and salting a password is done by calling

String hashed = BCrypt.hashpw(password, BCrypt.gensalt(12));

which uses a generated salt. To check a password later on, here you can see (as well as on the mindrot page) that the

if (BCrypt.checkpw(candidate, hashed))

function is invoked with a plain text candidate. Also, in the coding of jbcrypt is says

public static boolean checkpw(String plaintext, String hashed)

Now my question is how can you compare a plain text password to a salted+hashed String without having the salt at comparison time (as it is not passed into the checkpw-function, obviously)?

edited Mar 17 '17 at 10:45

Community

asked Dec 25 '16 at 08:16

Christian

5

Because hashpw returns a string containing the salt and the hash. https://en.wikipedia.org/wiki/Bcrypt – JB Nizet Dec 25 '16 at 08:19
2

http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts – pvg Dec 25 '16 at 08:22
Thanks - that answers my question very well. If you post an answer, I will mark it as correct. – Christian Dec 25 '16 at 08:29

Why jbcrypt does not need a salt at comparison

0 Answers0