Bcyrpt generates password without salt?

Question

I am using .NET Bcrypt hash implementation from third party library and it has method that create hash simply providing text or password like below.

Bcrypt.HashPassword("password") 

I know that generated hash contains salt information but it doesn't get salt parameter while creating hash.

Bcrypt create random salt internally and use it ?

It can cause security weakness if i don't use salt overloaded method ?

Answer 1

From a theoretical standpoint, you should be doing the following, where P is the given password:

1. Generate a cryptographically-strong random salt S.
2. Compute H = Hash(S + P), where Hash is a cryptographically-strong hashing algorithm.
3. Store S and H in your database for the current user.

At authentication time, given candidate password P' for someone claiming to be that same user, validate the user if and only if H == Hash(S + P').

Does Bcrypt create random salt internally and use it?

The salt is not something it should be creating only internally. It should be giving you the salt to store with the hashed salt + password.

It can cause security weakness if i don't use salt overloaded method?

Yes.