Hash the salt?

Question

Hash the salt?

hayr-hotoca opened this issue 3 years ago · 1 comments

Hi thanks for your effort!

I want to generate the 256bits salt based on user's email, username, phone, .... instead of generating random salt like below. Is it a good practice? My intention is also to hide the user's email, username, phone, ... along with password?

const hashSalt = await argon2.hash({
time: 16,
mem: 2^15,
hashLen: 32,
parallelism: 2,
pass: myUserName,
salt: myUserName
});
const hashPassword = await argon2.hash({
time: 16,
mem: 2^15,
hashLen: 32,
parallelism: 2,
pass: password,
salt: hashSalt.hash, // .hash is Unit8Array
});
save(hashPassword.encoded);

Answer 1 · 2021-08-06T15:10:04.000Z

Hi! I'm not the author Argon2, my library just exports it to JS, so it's better to ask the authors about questions like this.
But in my understanding it's not a good idea to generate salt based on data because it can be done by attackers as well if they get access to the algorithm of the generation. Whether it's a risk - up to you.