Why does Ruby bcrypt lib contain the clear salt in the hash?
I am using Coda Hale Ruby bcrypt library . I recently noticed it didn't work, as if I thought it did. I thought the correct procedure was:
- Making salt
- Get password
- Combine salt and password strings
- Hash them through your hashing function
But when I look at the results of the bcrypt function, it seems that the salt is concatenated with the hash, not the password. That is, the salt adhesion occurs after step 4 and not before. I'm assuming Koda Hale is doing it right, but I'm wondering why it behaves this way.
Here's a quick IRB session to show what's weird (to me). Note that in the function results, the hash_secret
first 29 characters are the same as the salt. Any information as to why this is the case would be greatly appreciated.
My only theory is that the salt is being added and also injected into the hash, which removes the need to store the salt in a separate DB field (basically a record packing strategy)?
irb#1(main):004:0> password_salt = BCrypt::Engine.generate_salt
=> "$2a$10$OrKdcWORLL8Gorhy9XR3UO"
irb#1(main):005:0> password='abc'
=> "abc"
irb#1(main):006:0> BCrypt::Engine.hash_secret(password, password_salt)
=> "$2a$10$OrKdcWORLL8Gorhy9XR3UOY8Sebzq92m7r02XPitzoazPdO7tmsEO"
irb#1(main):007:0>
source to share
There is no technical reason why this is the case. If you wanted, you could keep the salt and password separate. Hell, you could make the salt open if you want. I have heard that some people will use user id as salt to keep a few bits of storage in their database.
There will be no security benefit if you use hashes and salts on different fields in the same database. All that really matters is that each salt is unique to rip off rainbow tables.
My guess is that the creator chose to concatenate the two strings simply to store the salt and hash together in a single field in a database or application. This can sometimes be useful, for example, in languages ββthat do not support ambiguous values.
source to share