Is the salt included in the hash?

[afrancht]

I was wondering as with Bcrypt, is the salt included in the Hash, as I see other implementations like the one in https://github.com/ranisalt/node-argon2 and yours that in some instances don't have a parameter input for the salt in their example:

try {
  if (await argon2.verify("<big long hash>", "password")) {
    // password match
  } else {
    // password did not match
  }
} catch (err) {
  // internal failure
}

If so which part is the salt and will this be compatible when used with another library too?

[antelle]

Hi! It's not included in the hash, however it's included in the encoded version of the hash. For example, hashing with salt something gives us this string:

$argon2d$v=19$m=1024,t=1,p=1$c29tZXRoaW5n$hnyOJsLDY3YPllKQSj9fR7+tR/l0Et2RnVWq1CJPubk

If we run this snippet:

atob('c29tZXRoaW5n')

, it will give us something.

[antelle]

You can find the encoded format here: https://github.com/P-H-C/phc-winner-argon2/blob/master/src/encoding.c#L326-L353