Every time I use:
BCrypt.HashPassword(password, 12)
it gives me different output. From what I've read, in order to check log-in details, I must have password itself:
BCrypt.Verify(expectedPassword , hashed);
So I'm confused: I thought I should keep in my DB only the hashes, not the passwords themselves. What am I missing ?
On
In the code
BCrypt.Verify(expectedPassword , hashed);
You use the name "expectedPassword" and I wonder if that indicates your misconception. That is not the password you expect the user to enter. That is the plain text password they are trying to use to log in.
the 2nd parameter, hashed, is the hashed value of their "official" password (i.e. the password they registered with).
So "hashed" is stored in the database. "expectedPassword" is the password they just entered to login in. You don't store that one.
You are 100% correct when you state:
Following on from our online chat, where we clarified the issue you were querying, the general process is as follows:
Later on ...
The important thing to note is that, for a given hash algorithm, two identical strings will always hash to identical values, so this comparison is safe.
It is standard to allow the password to be in plain text when still in memory. It is in theory possible to encrypt it before it reaches the server (for example, it would not surprise me if there exist SHA-512 procedures written in JavaScript to hash passwords before they are submitted), but that generally is above and beyond even the most complex security requirements.