Closed adanvdo closed 5 years ago
Wikipedia is your friend https://en.m.wikipedia.org/wiki/Bcrypt
that doesn't really address the problem?
As I understand wikipedia, the salt is prepended to the hashed password.
For example, the shadow password record $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy specifies a cost parameter of 10, indicating 210 key expansion rounds. The salt is N9qo8uLOickgx2ZMRZoMye and the resulting hash is IjZAgcfl7p92ldGxad68LJZdL17lhWy. Per standard practice, the user's password itself is not stored. https://en.wikipedia.org/wiki/Bcrypt#Description
Please correct me if I'm wrong!
ah, I see. well if they designed it that way then I guess there is no issue. I ended up just using crypto anyways
I could be wrong, but I am pretty sure the resulting hash is not supposed to be the generated salt concatenated with the hash?
I decided to use this library because i had dependency problems with bcrypt. Using bcryptjs, the generated hash is just the salt appended by a hashed string. I have worked with salted hash passwords before and the resulting hash has never been like that. Pretty sure the result should be the plain text password combined with the salt, and then hash that value.
example of current result hash: generated salt: $2a$10$JIKvm/G2VB60Vug8m3T8Du generated hash: $2a$10$JIKvm/G2VB60Vug8m3T8Du600ViyznayfU2miNjxFEXHP5qOxPpiy
if this is by design, i apologize. however, i dont really like it.