Best IT Recipes

How does node.bcrypt.js compare hashed and unencrypted passwords without salt?

From github :

To hashed a password:

var bcrypt = require('bcrypt'); bcrypt.genSalt(10, function(err, salt) { bcrypt.hash("B4c0/\/", salt, function(err, hash) { // Store hash in your password DB. }); });

To verify the password:

 // Load hash from your password DB. bcrypt.compare("B4c0/\/", hash, function(err, res) { // res == true }); bcrypt.compare("not_bacon", hash, function(err, res) { // res = false });

Above, how can there be salt values โ€‹โ€‹involved in comparisons? What am I missing here?

+48
bcrypt
Oct 23
source share
2 answers

Salt is included in the hash (in clear text). The comparison function simply pulls the salt from the hash and then uses it to hash the password and perform the comparison.

+42
Oct 23 '12 at 6:00
source share

I had the same question as the original poster, and he looked around a bit and tried different things to understand the mechanism. As others have already pointed out, salt concatenates with the final hash. So this means a couple of things:

  • The algorithm must know the length of the salt
  • Must also know the position of the salt in the last line. for example, if shifted by a certain number on the left or right.

These two things are usually hardcoded in the implementation, for example. bcrypt implementation source for bcryptjs defines the salt length as 16

 /** * @type {number} * @const * @private */ var BCRYPT_SALT_LEN = 16;

So, to illustrate the basic concept of an idea, if you want to do it manually, it will be similar to the one below. I do not recommend implementing things like this when there are libraries that you can do for this.

 var salt_length = 16; var salt_offset = 0; var genSalt = function(callback) { var alphaNum = '0123456789abcdefghijklmnopqurstuvwxyzABCDEFGHIJKLMNOPQURSTUVWXYZ'; var salt = ''; for (var i = 0; i < salt_length; i++) { var j = Math.floor(Math.random() * alphaNum.length); salt += alphaNum[j]; } callback(salt); } // cryptographic hash function of your choice eg shar2 // preferably included from an External Library (dont reinvent the wheel) var shar2 = function(str) { // shar2 logic here // return hashed string; } var hash = function(passwordText, callback) { var passwordHash = null; genSalt(function(salt){ passwordHash = salt + shar2(passwordText + salt); }); callback(null, passwordHash); } var compare = function(passwordText, passwordHash, callback) { var salt = passwordHash.substr(salt_offset, salt_length); validatedHash = salt + shar2(passwordText + salt); callback(passwordHash === validatedHash); } // sample usage var encryptPassword = function(user) { // user is an object with fields like username, pass, email hash(user.pass, function(err, passwordHash){ // use the hashed password here user.pass = passwordHash; }); return user; } var checkPassword = function(passwordText, user) { // user has been returned from database with a hashed password compare(passwordText, user.pass, function(result){ // result will be true if the two are equal if (result){ // succeeded console.log('Correct Password'); } else { // failed console.log('Incorrect Password'); } }); }
+17
May 24 '14 at 5:23
source share


More articles:


All Articles