How is a hashed password validated?

F

Farazendasss2020-04-22 12:52:50

Node.js

Farazendasss, 2020-04-22 12:52:50

When a user registers the password using bcryptjs is hashed and this character set is written to the database. If you enter the same password several times, the hash will always be different.
Question: how to compare passwords of registered users?
Compare with the one in the database will not work because it is hashed. If you hash the user's password, it will be 2 different hashes.

I understand the question is quite simple. But understanding for some reason does not come.
Please explain.

ideally explain on bcryptjs methods

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Dmitry Belyaev, 2020-04-22
@Farazendasss

If you enter the same password several times, the hash will always be different.

no. The whole point of hash functions is that, for all their irreversibility, they always produce a deterministic result, that is, in simple terms, the same output parameters are given for the same input parameters.
That is, the same password will always give the same hash.
Specifically with bcrypt, it's a hash with a salt. That is, it does not have 1 input parameter (password), but 2 - password and salt. When a new hash is created, a new salt is generated (ideally by crypto random). Therefore, the hash changes. This complicates hacking, since without the salt I could simply have a pre-calculated dictionary of hashes for frequent passwords, and with the salt I would have to do a brute-force search, even if the user has a banal qwerty password.
For validation, the salt is stored in the database along with the hash, we simply do not generate a new salt, but hash it with the saved one.