1

My understanding from my initial reading of how BCrypt hashes passwords is that it:

Then when verifying a supplied password, it:

  • takes the supplied password
  • retrieves the hashed password
  • finds the salt from the end of the hashed password
  • hashes the supplied password using the salt from the stored password
  • checks whether the two are the same

My question is - if the salt is appended to the hashed password, what stops a human from a) finding it and b) potentially using it to brute-force finding a password ? Does it not negate the benefit of having a random salt rather than a known, but not stored, one?

Chris A
  • 863
  • 1
  • 10
  • 31
  • 3
    Nothing, the salt is not there to prevent brute forcing a password. The salt is there to prevent precomputing a huge table of hashed passwords aka a "rainbow table". [Here](https://crackstation.net/hashing-security.htm) is a good tutorial. – President James K. Polk Sep 22 '21 at 12:29
  • Does this answer your question? [Why do we use the "salt" to secure our passwords?](https://stackoverflow.com/questions/5252943/why-do-we-use-the-salt-to-secure-our-passwords) – OrangeDog Feb 16 '23 at 11:27

0 Answers0