Today I learned something I didn’t know before, mostly because I haven’t implemented a login scheme in a long time. Bcrypt abstracts away having to store and deal with a salt! That is, all your bcrypted hashes are automatically salted.
How? The hash has a salt concatenated into the hash as described by this awesome SO article.
Anatomy of a Bcrypt Hash
A Bcrypt hash is cool! It has (3) parts:
- A version tag that says which bcrypt algo was used to generate the hash.
- A cost factor: you can tell how expensive it was to generate the hash this way, and also the relative security of the hash as a result. What a sweet interface for a world where cost for hashes needs to keep going up as computers get faster.
- A concatenated salt + ciphertext string. (22) base64 character salt, rest is the encoded ciphertext.