Lily Mara
Reputation: 4138
Is it really not required to generate salts for bcrypt?
I'm using the golang.org/x/crypto/bcrypt package for storing passwords. Looking at documentation and other SO questions, it seems like I'm not supposed to (or at least don't have to) generate a salt for the password before I generate the hash. This seems counter to everything that I've read about cryptography and modern password storing, and makes me a bit nervous. Is it really secure enough to just pass the user's normal password into bcrypt.GenerateFromPassword, or am I reading things wrong?
Upvotes: 1
Views: 539
Answers (1)
Thundercat
Reputation: 121119
The bcrypt package generates the salt for the application. The return value from GenerateFromPassword encodes the cost, salt and hash of the password.
Upvotes: 3
Related Questions
- What are Salt Rounds and how are Salts stored in Bcrypt?
- Secure hash and salt for PHP passwords
- Is it possible to migrate from bcrypt to crypto?
- How can bcrypt have built-in salts?
- Best Practices: Salting & peppering passwords?
- Can we generate BCrypt / SCrypt / Argon2 hash password using CNG (Windows Cryptography API)?
- Why is BCrypt more secure than just storing a salt and an encrypted password in the database?