2

I am currently working in node and noticed that bcrypt puts the salt in the initial portion of the hash

password : "$2a$04$kpj4oCA/b85xWAIL3n4l9uPMA2Ku4VR90oT3iE9IZVvREvmmJCZem" salt : "$2a$04$kpj4oCA/b85xWAIL3n4l9u"

Is doing this safe. I mean the purpose of hashing and salting is to stop the developers from inserting plain passwords in the database. So if someone gets into my database now they know my salt and then its just the matter of brute forcing all the passwords until i get the rest of the hash. Why is salting necessary then? I could just store the hash only without salting

Improve this question

1 Answer 1

Reset to default
1

The salt is usually saved as plain text, the logic behind the random salt is so every hash is different with the same password + random salt you get a more random hash and not the same hash with the same password. To counter rainbow table reverse hashing etc.

Without a random salt the password "test" would always generate the same hash when using the same hashing algorithm, so knowing the plain salt can not be used to reverse the password in that manner.

That's just my short explanation, if you want to read more about salt and hashing I'm sure there is plenty of info on that topic available somewhere.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.