No hashing of salt, string, workload?

Jan 21, 2012 at 6:48 AM

The docs don't seem to be right here.

1. BCrypt..::..HashPassword Method (String, Int32)

Hash a password using the OpenBSD bcrypt scheme and a salt generated by GenerateSalt(Int32) using the given workFactor

This seems to not be correct  since there is no salt provided as a parameter for this overload.

Whats the use of having a work factor here but no salt? Ideally you want to provide the salt, text, and work factor to slow the computation time down.

Sure you can set the work factor when generating the salt, but if the salt is already generated, you would likely want to use it when a user types in a password for validation AND include a work factor to slow brute forcing down - the whole purpose as I would see it for the work factor to exist?

 

Thoughts?

Thanks!

 

 


Jan 29, 2013 at 7:47 AM

this might be a year late but here's a good explanation why. 

 

http://stackoverflow.com/questions/5393803/can-someone-explain-how-bcrypt-verifies-a-hash