So, I want to use bcrypt to perform salting, hashing and password validation for my webapp, but there is something I am missing: I am having problems understanding how it works.So, in order to safelty store passwords, I need to hash and salt them, then store both the computed has and the salt.Say I have a user foo_user, which has a password foo_pass. To safely store it I would have to perform the following steps:generate a unique salt for the user, done in bcrypt by genSalt(rounds): say the generated salt is thisisasaltgenerate the hash of the password+salt, done in bcrypt by hash("foo_pass"+"thisisasalt", salt): say the resulting hash is "thisisthehash"Store in both the hash and the saltSo, my DB would be something like:usernamepassword_hashsaltfoo_userthisisthehashthisisasaltNow, when the user wants to log in, he sends username and password. At this point, to check the password I need to compute the hash again and compare it with the stored one. In order to compute the hash again, though, I need the salt.Instead, the docs for bcrypt says the to compare all you have to do isbcrypt.compare(myPlaintextPassword, hash, function(err, res) {...}) without any indication to the salt, but instead referring to the plainTextPassword. I don't understand how this works, if the hash has been created using a salt.What I would do is instead to recompute the hash again from the password the user sent to the app and the salt, using bcrypt.hash(myPlaintextPassword, salt_from_db) and then using the resulting hash for comparison.Am I missing something? Why does the documentation talk about comparing the hash with the plain text password?
Submitted January 11, 2018 at 10:24AM by honestserpent
No comments:
Post a Comment