Understanding bcrypt: How Salt and Hashing Secure Passwords
The bcrypt library in Node.js provides a simple API to hash passwords, generate salts, and compare hashed data. It has two major features:
Salting: A salt is a random string added to the password before hashing. This ensures that even if two users have the same password, their hashing values will differ, as their passwords are salted with different values.
Rounds: bcrypt applies the hash function multiple times ( known as ‘Key Stretching‘). This increases the number of times it takes to compute the hash.
Setting Up bcrypt:
npm install bcrypt
Key bcrypt Methods:
bcrypt.genSalt(rounds)
: this method generated a salt with a specified number of rounds(iterations). The more rounds you use, the slower the hash calculations become.
bcrypt.hash(data, salt)
: This method hashes the given data (e.g., a password) using the specified salt.
bcrypt.compare
(data, hash)
: This method compares the provided data (e.g., a user’s login password) against a hash to verify if they match.
bcrypt.getRounds(hash)
: This method retrieves the number of rounds used in the hashing process for a given hash. This is useful if you want to check how computationally expensive the hash operation is.
Example::
In this example, we will see how bcrypt works on a basic level:
const bcrypt = require('bcrypt');
(async () => {
// Step 1: Generate Salt
const salt = await bcrypt.genSalt(10);
console.log('Generated Salt:', salt);
// Step 2: Hash the password
const hashedPassword = await bcrypt.hash('myPassword123', salt);
console.log('Hashed Password:', hashedPassword);
// Step 3: Compare the password with the hashed password
const isMatch = await bcrypt.compare('myPassword123', hashedPassword);
console.log('Password match:', isMatch); // true if correct
// Step 4: Get the number of rounds used in the hash
const rounds = bcrypt.getRounds(hashedPassword);
console.log('Rounds used in hashing:', rounds);
})();
Step 1:
We are calling
bcrypt.genSalt(10)
, which generates a salt for hashing.10
is the number of rounds, indicating the computational cost of creating the salt.The
salt
is then logged.
Step 2:
We hash the password
myPassword123
using the generated salt.The hashed password is logged. The result will look like a long string containing the salt and the hash.
Step 3:
This step compares the plaintext password (
'myPassword123'
) with the hashed password.If the comparison is successful, it logs
true
; otherwise, it logsfalse
.
Step 4:
This method extracts and logs the number of rounds used when the password was hashed.
The rounds are embedded in the hash itself, making it retrievable.
SAMPLE OUTPUT:
Generated Salt: $2b$10$Ez5hK3zOEvmyq9XcgpqYyOZFtVbTOG4HfNkZ2zwpmMKV2V7bIF3Jm
Hashed Password: $2b$10$Ez5hK3zOEvmyq9XcgpqYyOZFtVbTOG4HfNkZ2zwpmMKV2V7bIF3JmZpwA9RYWg5lQUpJ9pVEe7t.PSOY67bZG0ktA7k1g
Password match: true
Rounds used in hashing: 10
2b
refers to the bcrypt algorithm version.10
is the number of rounds.The rest is the salt and the hashed password.
By using bcrypt, if the attackers manage to access hashes passwords, they cannot easily reverse the hashing process to retrieve the original password due to the use of salts and rounds.
To know more please refer to these :
let’s know more about salts in the next blog……
Subscribe to my newsletter
Read articles from Harsh Singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by