Do I need to store the salt with bcrypt?

java encryption passwords salt bcrypt
RodeoClown picture RodeoClown · Nov 10, 2008 · Viewed 33.6k times · Source

bCrypt's javadoc has this code for how to encrypt a password:

String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt());

To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:

if (BCrypt.checkpw(candidate_password, stored_hash))
    System.out.println("It matches");
else
    System.out.println("It does not match");

These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?

Answer

Greg Hewgill picture Greg Hewgill · Nov 10, 2008

The salt is incorporated into the hash (encoded in a base64-style format).

For example, in traditional Unix passwords the salt was stored as the first two characters of the password. The remaining characters represented the hash value. The checker function knows this, and pulls the hash apart to get the salt back out.

Related questions

Java 256-bit AES Password-Based Encryption

I need to implement 256 bit AES encryption, but all the examples I have found online use a "KeyGenerator" to generate a 256 bit key, but I would like to use my own passkey. How can I create my own key? I …

Read More
AES-256 Password Based Encryption/Decryption in Java

I found a guide for implementing AES encryption/decryption in Java and tried to understand each line as I put it into my own solution. However, I don't fully understand it and am having issues as a result. The end …

Read More
What API and algorithm to be used to encrypt and decrypt a password using java

I am currently creating application using Java, I googled password encryption with java but the results are so enormous I felt overwhelmed. How would I encrypt and decrypt a password using Java? And what is the best practice for encrypting …

Read More