What are Salt Rounds and how are Salts stored in Bcrypt?
I'm trying to configure Bcrypt for a node app that I'm making and have several questions about salts that I hope someone here can help kindly answer.
What is a salt 'round'? For example, in the github docs (https://github.com/kelektiv/node.bcrypt.js/) it uses a salt round of 10. What does that mean exactly?
Is the salt generated by Bcrypt always the same? For example, if I am saving user's hashed passwords to a DB, is the salt that it used to hash the password the same for every password?
How is the salt stored? Is it secure from potential attacks?
- With "salt round" they actually mean the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash. The higher the cost factor, the more hashing rounds are done. Increasing the cost factor by 1 doubles the necessary time. The more time is necessary, the more difficult is brute-forcing.
- The salt is a random value, and should differ for each calculation, so the result should hardly ever be the same, even for equal passwords.
- The salt is usually included in the resulting hash-string in readable form. So with storing the hash-string you also store the salt. Have a look at this answer for more details.
Salt is included in hash only and we need not to remember while comparing.
var myPlaintextPassword='Saifio';
var saltRounds = 10;
const hash = bcrypt.hashSync(myPlaintextPassword, saltRounds);
$2b$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa
| | | | | | | hash-value = K0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa | | | | | salt = nOUIs5kJ7naTuTFkBy1veu | | | cost-factor = 10 = 2^10 iterations | hash-algorithm = 2b = BCrypt