search

antelle / argon2-browser

Argon2 library compiled for browser runtime
https://antelle.net/argon2-browser
MIT License
363 stars 78 forks source link

Hash the salt? #70

Closed hayr-hotoca closed 2 years ago

hayr-hotoca commented 2 years ago

Hi thanks for your effort!

I want to generate the 256bits salt based on user's email, username, phone, .... instead of generating random salt like below. Is it a good practice? My intention is also to hide the user's email, username, phone, ... along with password?

const hashSalt = await argon2.hash({ time: 16, mem: 2^15, hashLen: 32, parallelism: 2, pass: myUserName, salt: myUserName }); const hashPassword = await argon2.hash({ time: 16, mem: 2^15, hashLen: 32, parallelism: 2, pass: password, salt: hashSalt.hash, // .hash is Unit8Array }); save(hashPassword.encoded);

antelle commented 2 years ago

Hi! I'm not the author Argon2, my library just exports it to JS, so it's better to ask the authors about questions like this. But in my understanding it's not a good idea to generate salt based on data because it can be done by attackers as well if they get access to the algorithm of the generation. Whether it's a risk - up to you.