I'm storing strings like

  > =bcrypt.digest("hello", bcrypt.salt(10))
  $2y$10$r4hm7bIEdyth2ni8ufmpvuIQqnPeJSOAHne1Mk1yC0FPsIxP.lKsS

This string includes the algorithm, the difficulty, the salt, and the hash, so bcrypt.verify can do everything for me when someone tries to log in.

I appreciate your line of questioning. My reply to the top-level thread is pretty low value, since most people are trying to build web services that need sessions that persist across connections.

Complaining about downvotes is usually a way to collect more downvotes. This is partially because people are aware that it is against the guidelines at https://news.ycombinator.com/newsguidelines.html and partially because people get some sadistic pleasure out of punishing minor transgressions.

You're getting negative karma'ed because your comment shows a lack of understanding of what bcrypt is and what it does. Here's a short explanation: bcrypt is a hash function that you should use for storing hashed passwords. When calculating the bcrypt hash of a string, a salt is automatically added. The result you get looks something like this: `$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy` The 2a specifies which version of bcrypt was used, the 10 is the number of rounds, N9qo8uLOickgx2ZMRZoMye is the salt and the remaining characters are the hash. When checking this hash against a password you have to call a second function and pass in the password as well as the hash. This second function will automatically parse the passed in hash and calculate the hash of the password with the same number of rounds and the same salt.