How does node.bcrypt.js compare hashed and plaintext passwords without the salt?

Question

From github:

To hash a password:

var bcrypt = require(\'bcrypt\');
bcrypt.genSalt(10, function(err, salt) {
    bcrypt.hash(\"B4c0/\\/\", salt, funct         


        

Answer 1

Bcrypt compare hashed and plaintext passwords without the salt string because the hashed password contains the salt string which we created at the time of hashing.

For example :

Take this Plain Password :

546456546456546456456546111

Hashed Password of above plain text using Bcrypt :

$2b$10$uuIKmW3Pvme9tH8qOn/H7uZqlv9ENS7zlIbkMvCSDIv7aup3WNH9W

So in the above hashed password, There are three fields delimited by $ symbol.

i) First Part $2b$ identifies the bcrypt algorithm version used.

ii) Second Part $10$ 10 is the cost factor (nothing but salt rounds while we creating the salt string. If we do 15 rounds, then the value will be $15$

iii) Third Part is first 22 characters (that is nothing but salt string) In this case it is

uuIKmW3Pvme9tH8qOn/H7u

The remaining string is hashed password. So basically, the saltedHash = salt string + hashedPassword to protect from rainbow table attacks.