0

I want to deploy my program to another server. Can my script decrypt all passwords of my customers in database correctly?

//old server
const bcrypt = require("bcrypt");
const salt = bcrypt.genSalt();
password = bcrypt.hash("password", salt);

//new server 
const auth = bcrypt.compare(password, "password")

How can BCrypt decrypt passwords with a variable salt that is generated randomly?

user229044
  • 232,980
  • 40
  • 330
  • 338
yassine rhedouili
  • 3
  • 2
  • 3
    Does this answer your question? [How can bcrypt have built-in salts?](https://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts) – jabaa Jan 08 '22 at 00:30

1 Answers1

1

BCrypt hashes are stored in one of two forms.

The more common is Modular Crypt Format and has the form...

$2y$10$kV7kssmFuFOydBewIp9ele8GMkWGDPpte6jGGDAabpsBmxtzWxfZW

Where:

  • $ is a delimiter
  • 2 indicates the algorithm is BCrypt
  • y is the version of BCrypt
  • 10 is the cost
  • kV7kssmFuFOydBewIp9ele is the salt
  • 8GMkWGDPpte6jGGDAabpsBmxtzWxfZW is the hash.

A more modern alternative is PHC string format which makes it more obvious which parts correspond to which values:

$bcrypt$v=98$r=10$cIF1Ev2ATA6/iYv4kddXCQ$qcrDoGjsiB2eLq1/vCZWiAZ8bEs4+Qs

In both cases, the string persisted to your database is completely portable and contains everything necessary to compare a candidate password: The hash, salt, cost, algorithm name, and algorithm version.

user229044
  • 232,980
  • 40
  • 330
  • 338