Question about Hash & Salt (Chapter 7)June 27, 2020 at 5:48am
I think, I understand what hash & salt does but I don't understand how bcrypt does it.
We use hash & salt to make sure that the hashed password are unique even if the original plain text password is the same.
From the example I found online, the plain text password is concat with random salt, then hashed and we save both salt and hash in the DB because when we want to compare the password (verify user), we need both the plain text password (that user input) and the salt.
However, in the sample code, I see only the plain text password in use. So, if 2 persons use the same password, then the hashed should be the same, right?
P.S. English is not my native tongue, so please pardon my language.
June 27, 2020 at 10:21am
Hi ! Only the final hash needs to be stored in the DB. This article goes into very thorough details about how bcrypt works https://auth0.com/blog/hashing-in-action-understanding-bcrypt/
we first create a salt through the
bcrypt.genSaltfunction that takes the cost,
saltRounds. Upon success, we get a salt value that we then pass to
bcrypt.hashalong with the password... that we want to hash. The success of
bcrypt.hashprovides us with the hash that we need to store in our database. In a full implementation
Because of the way that the encryption works, the final hash that is stored in the database would not be the same, even if the plain text is the same. I thew together a demon on Glitch to demonstrate this: https://glitch.com/~slash-nebulous-twister
I hope that is helpful!
After reading the article and seeing demo code, I understand where I misunderstand.
Before I think that the password plus salt is concat together before doing the hash, so I wonder how can we recreate the hash.
But in fact, the password is hashed and then concat with the salt. The final hash contain both the hashed password part and the salt. When we verify the password, only the password part is used.
Again, thank you very much for the information and the demo code.