Do I need to store the salt with bcrypt?

bCrypt’s javadoc has this code for how to encrypt a password:

String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); 

To check whether a plaintext password matches one that has been hashed previously, use the checkpw method:

if (BCrypt.checkpw(candidate_password, stored_hash))
    System.out.println("It matches");
else
    System.out.println("It does not match");

These code snippets imply to me that the randomly generated salt is thrown away. Is this the case, or is this just a misleading code snippet?

1 Answer
1

Leave a Comment