views:

841

answers:

1

bCrypt's javadoc has this code for how to encrypt a password:

String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());

To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:

if (BCrypt.checkpw(candidate_password, stored_hash))
    System.out.println("It matches");
else
    System.out.println("It does not match");

These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?

+13  A: 

The salt is probably incorporated into the hash (as plaintext).

For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.

Greg Hewgill
The salt IS incorporated in the password. So you don't have to save the salt.
swapnonil
Thanks for that. I wish they said that in the javadoc :)(I've looked at the source and confirmed - but I didn't know what I was looking for before)
RodeoClown
Thanks - never mentioned in the Python docs either.
Nikhil Chelliah