8

I use the nodejs bcrypt library for better password protection.

I am not sure i understand exactly how to use it, but i got this so far:

//A module containing this login function:

login: function(credentials,req,res) {

    //"credentials" is containing email and password from login form

    var query = 'SELECT password, email FROM users WHERE email = ? LIMIT 1';

    client.query(query,[credentials.email], function(err, results) {

        if (results[0]) {

            //Compare passwords
        if (bcrypt.compareSync(credentials.password, results[0].password)) {

                //Set session data and redirect to restricted area

            }
        }
    });
}

I removed all the error handling here in the example so that its easier to read the code.

1.This works and i am able to login and set the session. But is this all there is to it? Am i missing something?

2.Looks like the salt is prepended to the password when generating hash. Dont I have to save the salt in db?

Any help appreciated

Improve this question

1 Answer 1

Reset to default
6

Yes, this is all there is to it! The salt you generate when encrypting the password originally is used to prevent against rainbow table attacks; you do not need to persist it.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Great. Really nice library. And easy to use
Great answer. This post also helped me understand why you do not need to persist the salt. stackoverflow.com/questions/277044/…
Beware: As the accepted answer of the question linked by @emilebaizel points out, the salt is stored as part of the resulting hash. The number of rounds used is also part of the hash, resulting in a single hash that has ALL the information the "checker" code needs.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.