SteveS (8) [Avatar] Offline
#1
I believe the examples of bcrypt usage in section 7.2.5 are unnecessarily complicated. It should not be necessary to store the salt separately, as bcrypt encodes the salt into the hash (you can observe this in the output from listing 7.19).

Obviously, if you don't store the salt separately, you can't use bcrypt.hash() to authenticate in listing 7.21. However, bcrypt.compare() only requires the hash and is the preferred mechanism for checking a password.