Just saying -- storing the salt alongside the hash is very common. It's used just about everywhere (/etc/shadow, bcrypt in generalβ¦).
The alternative is: how are you to be able to log in? If the salt isn't stored, then the hash becomes useless. If it is stored, but is constant across the database; then what point does the salt have? It would be a problem were it sha1 or similar, but it isn't.
Other than that⦠argon2 is quite strong so far at least.
But if your DB is leaked - wouldn't that make decrypting password easier? π€
Having one common salt that's not in DB would mean that attacked upon acquiring that DB would have to first figure out what that salt was.
Or am I just misunderstanding something here? π€
Edit: Just did some googling, and apparently I totally confused salt with encryption keys used in a different set of algos all this time. I am a bit of an idiot π€¦ββοΈ
Yeah. Main difference is between initialization vector/key (you keep the initialization vector and remember the key) and a randomness adder (salt). A salt and an IV are similar, in that they introduce uniqueness into place there might not be otherwise.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Just saying -- storing the salt alongside the hash is very common. It's used just about everywhere (/etc/shadow, bcrypt in generalβ¦).
The alternative is: how are you to be able to log in? If the salt isn't stored, then the hash becomes useless. If it is stored, but is constant across the database; then what point does the salt have? It would be a problem were it sha1 or similar, but it isn't.
Other than that⦠argon2 is quite strong so far at least.
But if your DB is leaked - wouldn't that make decrypting password easier? π€
Having one common salt that's not in DB would mean that attacked upon acquiring that DB would have to first figure out what that salt was.
Or am I just misunderstanding something here? π€
Edit: Just did some googling, and apparently I totally confused salt with encryption keys used in a different set of algos all this time. I am a bit of an idiot π€¦ββοΈ
Yeah. Main difference is between initialization vector/key (you keep the initialization vector and remember the key) and a randomness adder (salt). A salt and an IV are similar, in that they introduce uniqueness into place there might not be otherwise.