You are correct; typically, the salt is embedded within the hash, especially in more modern hashing schemes. Here’s how you can handle the salt and hash verification when the salt is embedded in the hash using scrypt.

Embedding Salt within the Hash

When generating the scrypt hash, the salt is included in the resulting string. We can use the OpenSSL command to include the salt and retrieve it during verification.

Example Workflow:

  1. Generate the scrypt Hash with Embedded Salt:
  2. Compare the Password with the Stored Hash Extracting the Salt:

Step 1: Generate the scrypt Hash with Embedded Salt

#!/bin/bash

# Generate a scrypt hash with embedded salt
password="mypassword"
salt=$(openssl rand -hex 16) # Generate a random salt
hashed=$(echo -n "${password}" | openssl enc -scrypt -salt -S "${salt}")
echo "Salt: ${salt}"
echo "scrypt Hash: ${hashed}"

Step 2: Compare the Password with the Stored Hash Extracting the Salt

#!/bin/bash

# Function to extract salt from the stored hash
extract_salt() {
  local stored_hash="$1"
  echo "${stored_hash}" | awk -F'$' '{print $4}'
}

# Function to derive a scrypt hash with the given password and salt
derive_scrypt_hash() {
  local password="$1"
  local salt="$2"
  echo -n "${password}" | openssl enc -scrypt -salt -S "${salt}"
}

# Stored hash with embedded salt
stored_hash="your_stored_hash_here" # Replace with the actual stored hash

# Extract the salt from the stored hash
stored_salt=$(extract_salt "${stored_hash}")

# Password input (normally you would read this securely from the user)
password="mypassword"

# Derive the hash from the input password using the extracted salt
derived_hash=$(derive_scrypt_hash "${password}" "${stored_salt}")

# Compare the derived hash with the stored hash
if [ "${derived_hash}" == "${stored_hash}" ]; then
  echo "Password matches."
else
  echo "Password does not match."
fi

Explanation

  1. Generate the Hash:

    • The password is hashed using openssl enc -scrypt along with a generated salt.
    • The hash output includes the salt.

  2. Extract Salt and Verify:

    • The extract_salt function retrieves the salt from the stored hash.
    • The derive_scrypt_hash function derives the hash using the extracted salt and input password.
    • The derived hash is compared with the stored hash to verify the password.

Note

Ensure you replace your_stored_hash_here with the actual stored hash when comparing.

Conclusion

By embedding the salt within the hash, you simplify the storage and verification process. This method allows you to verify passwords without the need to store the salt separately, ensuring the salt is always available when needed for verification.