Today I learned something I didn’t know before, mostly because I haven’t implemented a login scheme in a long time. Bcrypt abstracts away having to store and deal with a salt! That is, all your bcrypted hashes are automatically salted.

How? The hash has a salt concatenated into the hash as described by this awesome SO article.

Anatomy of a Bcrypt Hash

A Bcrypt hash is cool! It has (3) parts:

  1. A version tag that says which bcrypt algo was used to generate the hash.
  2. A cost factor: you can tell how expensive it was to generate the hash this way, and also the relative security of the hash as a result. What a sweet interface for a world where cost for hashes needs to keep going up as computers get faster.
  3. A concatenated salt + ciphertext string. (22) base64 character salt, rest is the encoded ciphertext.