0

When I was designing a secure authentication system using express, I did some tests on bcryptjs package for hashing passwords. It generates a salt with salt = bcrypt.genSaltSync() and as instructions in official docs when I salted the password from hash = bcrypt.hashSync(pwd, salt), I found out that it actually salts the hash, but not the raw password. As example, when I used the password 'sidx',

the salt: $2a$10$4k/5/KcJq9FbdoY1gynpj.

the hash: $2a$10$4k/5/KcJq9FbdoY1gynpj.uxmftRhH4PW4TWYxcrXizPNUTDM6VwG

(you can notice the hash itself has been salted instead of the password.)

Now I have 2 questions.

  1. Instead of this can we first salt the raw password and then hash it?
  2. when comparing hash and raw password, we don't need to give the salt to compare function. But there is no way to identify till which character the hash is salted? but the express knows how to seperate the salt from hash exactly? How is express doing that?
d0ppL3G
  • 99
  • 6
  • 1
    Does this answer your question? [How can bcrypt have built-in salts?](https://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts) – Martheen Oct 14 '22 at 10:36
  • @Martheen Yeah, but not entirely. Now I know how the salt is determined. But can we salt the password itself instead of salting the hash? since if we have the entire hash it is an easy job to seperate the salt and the hash of password in this case. – d0ppL3G Oct 14 '22 at 10:47
  • Sigh, the password is already hashed alongside the salt. The "hash" in your question is actually the version, cost factor, the salt, and the cipher concatenated. – Martheen Oct 14 '22 at 10:51
  • Ahh, now I got it. It means if I hashed the 'sidx' without the salt(with the same hashing algorithm), the hash value won't be 'uxmftRhH4PW4TWYxcrXizPNUTDM6VwG'. Right? – d0ppL3G Oct 14 '22 at 10:58
  • 1
    Correct, read up about the implementation on the linked answer – Martheen Oct 14 '22 at 22:09

0 Answers0