RodeoClown
Reputation: 13788
Do I need to store the salt with bcrypt?
bCrypt's javadoc has this code for how to encrypt a password:
String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());
To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:
if (BCrypt.checkpw(candidate_password, stored_hash))
System.out.println("It matches");
else
System.out.println("It does not match");
These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?
Upvotes: 210
Views: 44049
Answers (1)
Greg Hewgill
Reputation: 992697
The salt is incorporated into the hash (encoded in a base64-style format).
For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.
Upvotes: 240
Related Questions
- Can plaintexts be set or converted into salts in BCrypt?
- Do we need to use a fixed salt with BCrypt?
- Is it really not required to generate salts for bcrypt?
- How Do I Separate The Salt from the Hash After Encrypting a Password with bCrypt using Java?
- BCrypt: how can I generate a salt from the string I am hashing?
- Storing hashed password
- Java: Is this good use of BCrypt?
- Hashing password using salt
- What to use for password hashing? Any reason not to use jBCrypt?
- Am I supposed to save the salt somewhere when hashing a password?