Copy password hashed by bcrypt

That is by design. The workflow for checking a password does not involve generating a new salt, only using the existing salt when checking if the plaintext is correct.

From the wikipedia on password salts:

To understand the difference between cracking a single password and a set of them, consider a single password file that contains hundreds of usernames and passwords. Without a salt, an attacker could compute hash(attempt[0]), and then check whether that hash appears anywhere in the file. The likelihood of a match, i.e. cracking one of the passwords with that attempt, increases with the number of passwords in the file. If salts are present, then the attacker would have to compute hash(salt[a] . attempt[0]), where "." denotes concatenation, compare against entry A, then hash(salt[b] . attempt[0]), compare against entry B, and so on. This defeats "reusing" hashes in attempts to crack multiple passwords.

Understanding the variable salt:

Imagine your database stores password of user X as hash('mypass').

Intruder gets his hands on your database, and gets the hashed passwords. Now he is able to run a Rainbow Attack, and if his pre-computed Rainbow table contains password 'mypass', he will easily find out what password user X used.

To mitigate, you can store passwords as hash('mypass' + 'SERVER_CONSTANT') It purely defeats rainbow attack, even if intruder gets access to the 'SERVER_CONSTANT'. It is a required standard now and is called Salt.

bcrypt.genSalt(Sync) method generates the Salt relying on unique properties of server's hardware. ThegenSalt is different for each computer (otherwise it defeats the purpose of Salt).

---

Solution:

console.log(bcrypt.genSaltSync(10)) on your old machine. Let's say it is ABCDE.

Then do: var salt = 'ABCDE' on your new server. Using constant instead of genSalt is safe, but you will have to keep it private (out of public repositories, etc).