| Attack Type | Without Salt | With Salt (unique per user) | |-------------|--------------|-----------------------------| | | Instant (lookup) | Useless – would need a table per user | | Precomputed hash | Effective | Completely ineffective | | Brute-force | Same cost for all users | Same cost, but cannot reuse across users |
// Login: Verify password async function loginUser(password, storedHash) const isValid = await bcrypt.compare(password, storedHash); return isValid; authentication unique keys and salts
"password123" → SHA256 → "ef92b778b..." (same for all users) With a salt, identical passwords become different: | Attack Type | Without Salt | With
User A: "password123" + "sA1kL9" → "3d4f..." User B: "password123" + "jF8zQ2" → "a1e5..." A rainbow table is a precomputed list of password → hash mappings. Without salts, an attacker with a 1 TB rainbow table can crack most unsalted hashes in minutes. storedHash) const isValid = await bcrypt.compare(password
// Generate an API key (32 bytes hex) function generateApiKey() return 'sk_' + crypto.randomBytes(32).toString('hex');