Why is the hash generated by BCrypt non-deterministic

Question

I've worked with a number of different hashing algorithms in the past and I was under the impression that they were all deterministic.

I just switched some of my code to use BCrypt.Net and I have to admit I was completely stumped when all of my comparison tests failed.

After looking for errors in my test for an embarrassing amount of time I realized that my assumption that the hashes are deterministic was completely incorrect. There is a verify method which works and it was easy enough to fix the code but I'd like to understand what is going on a little bit better.

Is it salting the values internally or is something else going on?

• Please note I am salting this in my real code - this is just a test

Answer 1

Is it salting the values internally

Yep. bcrypt is more than a raw hash function, it includes the salt and a few other bits to allow the hash to be validated without extra input:

$2a$12$q6r.MpvzPrUszrWLgaRdlOs04kPcjk0syCDelrzES9O8.UNlHON.u
 ^^ ^^ ^^^^^^^^^^^^^^^^^^^^^^
 |  |  \- salt
 |  \---- work factor
 \------- format

The API you're using doesn't expose it as you don't generally need to manipulate the salt, but it's there and you don't need to add your own.