57
votes

I'm trying to configure Bcrypt for a node app that I'm making and have several questions about salts that I hope someone here can help kindly answer.

  • What is a salt 'round'? For example, in the github docs (https://github.com/kelektiv/node.bcrypt.js/) it uses a salt round of 10. What does that mean exactly?

  • Is the salt generated by Bcrypt always the same? For example, if I am saving user's hashed passwords to a DB, is the salt that it used to hash the password the same for every password?

  • How is the salt stored? Is it secure from potential attacks?

2

2 Answers

76
votes
  1. With "salt round" they actually mean the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are done. Increasing the cost factor by 1 doubles the necessary time. The more time is necessary, the more difficult is brute-forcing.
  2. The salt is a random value, and should differ for each calculation, so the result should hardly ever be the same, even for equal passwords.
  3. The salt is usually included in the resulting hash-string in readable form. So with storing the hash-string you also store the salt. Have a look at this answer for more details.
9
votes

Salt is included in hash only and we need not to remember while comparing.

var myPlaintextPassword='Saifio';  
var saltRounds = 10;   
const hash = bcrypt.hashSync(myPlaintextPassword, saltRounds);


$2b$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa

| | | | | | | hash-value = K0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa | | | | | salt = nOUIs5kJ7naTuTFkBy1veu | | | cost-factor = 10 = 2^10 iterations | hash-algorithm = 2b = BCrypt