0

I don't understand how using a random salt for hashing passwords can work. Perhaps random salt refers to something other than hashing passwords? Here is my thought process:

  1. The salt is used to add extra junk to the end of a password prior to hashing it, to fight against the likelihood of being cracked by a rainbow table

  2. However to ensure you can still verify a password is correct, you must use the same salt for each password prior to encrypting it to see if it matches the hash saved for a certain user

  3. If a random salt is used, how can that password ever be verified again?

I don't store generated random salt in my database, still I am able to verify the password hash.

How is it possible?

I am taking below example mentioned on bcryptjs npm module

//auto-gen a salt and hash:

var hash = bcrypt.hashSync('bacon', 10);

//compare hash
const validPass = bcrypt.compareSync('bacon', hash)

It works, It verifyfies the password, but How?

Update

I got some insight from here. If still someone could explain better that would be helpful.

sujeet
  • 3,480
  • 3
  • 28
  • 60
  • 1
    _I got some insight from here. If still someone could explain better that would be helpful:_ Your [linked answer](https://stackoverflow.com/a/6833165/9014097) explains everything in detail. Especially (3): The salt is stored together with the hash in a [shadow password](https://en.wikipedia.org/wiki/Bcrypt#Description), so that both are available for the verification process. What _exactly_ is still unclear or which aspect should be described more precisely? – Topaco Apr 16 '20 at 06:28
  • @Topaco Yeah. What to do of this question now? – sujeet Apr 16 '20 at 06:56
  • 1
    I think it's a [duplicate](https://meta.stackexchange.com/questions/10841/how-should-duplicate-questions-be-handled) of the link you posted ([How can bcrypt have built-in salts?](https://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts)) and have voted to close the question. – Topaco Apr 16 '20 at 07:43

0 Answers0