23

I would like to use node.js bcrypt to hash passwords before storing them in the database.

This link provides the documentation. https://github.com/kelektiv/node.bcrypt.js

Here is an example on hashing the password.

var bcrypt = require('bcrypt');
const saltRounds = 10;
const myPlaintextPassword = 's0/\/\P4$$w0rD';

var salt = bcrypt.genSaltSync(saltRounds);
var hash = bcrypt.hashSync(myPlaintextPassword, salt);
// Store hash in your password DB.

Here is the code to check the password.

// Load hash from your password DB.
bcrypt.compareSync(myPlaintextPassword, hash); // true

This is what I don't understand. In bcrypt.compareSync, why is there no parameter salt? Since the hash is generated from salt, why does comparing the plaintext password not involve the original salt used in hashing?

guagay_wk
  • 26,337
  • 54
  • 186
  • 295

1 Answers1

21

The salt is part of the string bcrypt stores in the database, see for instance the answer on Do I need to store the salt with bcrypt?

Community
  • 1
  • 1
rypskar
  • 2,012
  • 13
  • 13
  • Thanks. If salt is part of the generated hash, wouldn't that somewhat make bcrypt less secure? – guagay_wk Jan 10 '17 at 08:42
  • 4
    No, it doesn't. The salt always has to be available, storing it with the hash or seperately makes no difference to security. The purpose of the salt is to prevent rainbow table attacks, and for that purpose it is not a problem if the attacker has the salt. – Tom Jan 10 '17 at 08:45