diff --git a/server/src/db.js b/server/src/db.js
index c78753b..aa37677 100644
--- a/server/src/db.js
+++ b/server/src/db.js
@@ -36,14 +36,11 @@ export async function init() {
 /**
  * Characters model
  * - username + passhash live here
- * - bcrypt provides salt + cost factor per hash
+ * - bcrypt automatically salts and stores the salt + cost in the hash
  */
 export const Characters = {
-  // create a new character with username + password
   async create(username, password) {
-    // bcrypt automatically generates a unique salt for each hash.
-    // You can bump the rounds (12, 14, etc.) if you want more work factor.
-    const saltRounds = 12;
+    const saltRounds = 12; // bump if you want more cost
     const passhash = await bcrypt.hash(password, saltRounds);
 
     const { rows } = await query(
@@ -53,17 +50,16 @@ export const Characters = {
     return rows[0];
   },
 
-  // verify username/password; return character row or null
   async verify(username, password) {
     const { rows } = await query(
       'SELECT * FROM characters WHERE username=$1',
       [username]
     );
-    const char = rows[0];
-    if (!char) return null;
+    const ch = rows[0];
+    if (!ch) return null;
 
-    const ok = await bcrypt.compare(password, char.passhash);
-    return ok ? char : null;
+    const ok = await bcrypt.compare(password, ch.passhash);
+    return ok ? ch : null;
   },
 
   async getById(id) {