Why is the hash generated by BCrypt non-deterministic
I've worked with a number of different hashing algorithms in the past and I was under the impression that they were all deterministic.
I just switched some of my code to use BCrypt.Net and I have to admit I was completely stumped when all of my comparison tests failed.
After looking for errors in my test for an embarrassing amount of time I realized that my assumption that the hashes are deterministic was completely incorrect. There is a verify method which works and it was easy enough to fix the code but I'd like to understand what is going on a little bit better.
Is it salting the values internally or is something else going on?
- Please note I am salting this in my real code - this is just a test
Is it salting the values internally
Yep. bcrypt is more than a raw hash function, it includes the salt and a few other bits to allow the hash to be validated without extra input:
$2a$12$q6r.MpvzPrUszrWLgaRdlOs04kPcjk0syCDelrzES9O8.UNlHON.u
^^ ^^ ^^^^^^^^^^^^^^^^^^^^^^
| | \- salt
| \---- work factor
\------- format
The API you're using doesn't expose it as you don't generally need to manipulate the salt, but it's there and you don't need to add your own.
- Clearing memory securely and reallocations
- How good is SecRandomCopyBytes?
- How to Exclude Specific Files (like .env) from GitHub Copilot in VS Code?
- Is it safe for the Stripe client_secret to be in the redirect URL?
- Apache Commons Compress as solution to Zip Bomb
- Using API keys in a react app
- How to convert SecureString to System.String?
- Should I hash the password before sending it to the server side?
- PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the manual pages correctly?
- Dynamically set the data source for SSRS reports without unattended execution account?
- File containing its own checksum
- RNGCryptoServiceProvider - Random Number Review
- XSS attack with javascript in img src attribute
- What's the purpose of Django setting ‘SECRET_KEY’?
- Looking for suggestions for building a secure REST API within Ruby on Rails
- How to stop the user from entering harmful codes?
- Why are iframes considered dangerous and a security risk?
- Generate a Secure Random Password in Java with Minimum Special Character Requirements
- How can I prevent SQL injection in PHP?
- How to use buffer overflow to modify function pointer value?
- Accessing URL Image CORS policy
- Authorization (and security, in general) for web and mobile apps of the same service
- What Are the standards in mobile web application development?
- How to make external scripts work with hash-based CSP without allowlists in Astro?
- Best Practices: Salting & peppering passwords?
- AUR problems with installations
- How should I use the OAuth 2.0 Authorization grant in my case (React front-end, Spring Boot back-end)
- Configuring tomcat server to forward requests to other web server
- How can I prevent anybody sending requests to my server?
- Spring Security 6 Custom Filter not getting applied to specific url pattern in