Closed hayr-hotoca closed 3 years ago
Do you need to pass a specific salt? If you leave it empty, the library will generate one for you, a random, cryptographically secure one using crypto.randomBytes.
By the way, you don't need to pass the parameters if you are using the defaults, and definitely don't pass both salt
and saltLength
, as salt
will take precedence. saltLength
is meant to select the size of the generated salt, not to indicate the length of the salt
param.
Do you need to pass a specific salt? If you leave it empty, the library will generate one for you, a random, cryptographically secure one using crypto.randomBytes.
By the way, you don't need to pass the parameters if you are using the defaults, and definitely don't pass both
salt
andsaltLength
, assalt
will take precedence.saltLength
is meant to select the size of the generated salt, not to indicate the length of thesalt
param.
Yes I need and I can do this via cli, but cannot do via js module. Wtf??
echo -n "this_is_being_hashed" | argon2-cli "custom_salt" -e
Simplier example which gives Error: Invalid argument
:
const argon2 = require('argon2')
argon2.hash('hello', { salt: 'salt' }).then(console.log)
(node:65891) UnhandledPromiseRejectionWarning: Error: Invalid argument
at internal/util.js:308:30
at new Promise (<anonymous>)
at internal/util.js:307:12
at Object.hash (.../node_modules/argon2/argon2.js:38:22)
Only workaround I can think of is to use cli through nodejs 💩
const { spawn } = require('child_process')
const argon2cli = spawn('argon2-cli', ['custom_salt', '-e'])
argon2cli.stdout.on('data', data => console.log(data.toString().trimEnd()))
argon2cli.stdin.write('this_is_being_hashed')
argon2cli.stdin.end()
I used the following in my app:
import { spawn } from 'child_process'
function hash(text, salt) {
return new Promise(resolve => {
const argon2cli = spawn('argon2-cli', [salt, '-e'])
argon2cli.stdout.on('data', data => resolve(data.toString().trimEnd()))
argon2cli.stdin.write(text)
argon2cli.stdin.end()
})
}
Usage example:
console.log(await hash('text', 'salt'))
Simplier example which gives
Error: Invalid argument
:
In your example, the issue is that it is using a string as the salt, but it must be a Buffer
. If you do { salt: Buffer.from('salt') }
, it will work just fine 😉
I will update the docs to reflect that the salt is binary, not text.
Yes I need and I can do this via cli, but cannot do via js module. Wtf??
Please note that I always ask this as a disclaimer because virtually everybody asking how to use a custom salt here is misunderstanding how salts work.
Do you need to pass a specific salt? If you leave it empty, the library will generate one for you, a random, cryptographically secure one using crypto.randomBytes.
By the way, you don't need to pass the parameters if you are using the defaults, and definitely don't pass both
salt
andsaltLength
, assalt
will take precedence.saltLength
is meant to select the size of the generated salt, not to indicate the length of thesalt
param.
@ranisalt I just cannot find a right place to ask my naïve question, so I just continue from this issue.
I always used the default functions argon2.hash(str)
without any params, and save the hash only. Since you mention the lib will generate a random for me, and without actually saving the generated "salt" into database, how can the lib is able to recompute the same hash next time to match the hash in database via argon2.verify(hash, str)
;
Do you need to pass a specific salt? If you leave it empty, the library will generate one for you, a random, cryptographically secure one using crypto.randomBytes.
By the way, you don't need to pass the parameters if you are using the defaults, and definitely don't pass both
salt
andsaltLength
, assalt
will take precedence.saltLength
is meant to select the size of the generated salt, not to indicate the length of thesalt
param.@ranisalt I just cannot find a right place to ask my naïve question, so I just continue from this issue. I always used the default functions
argon2.hash(str)
without any params, and save the hash only. Since you mention the lib will generate a random for me, and without actually saving the generated "salt" into database, how can the lib is able to recompute the same hash next time to match the hash in database viaargon2.verify(hash, str)
;
salt is stored withing hash in argon2. pay attention to first half of the resulting string
@VityaSchel Thx for your clarification.
@VityaSchel & @ranisalt, and what about the pepper?
I want to use both — the salt and the pepper, the salt argon2
will generate for me automatically but in case of a pepper, where it's better to integrate it in the flow?
Does it make sense, the following implementation:
sha3-512
hash of the peppered passwordargon2id
on the hash from the step number 2Or perhaps this flow:
argon2id
on a plain passwordargon2id
hash with the peppersha3-512
hash based on the step number 2Which of these two strategies do you find better? Or, perhaps, something else?
@VityaSchel & @ranisalt, and what about the pepper?
I want to use both — the salt and the pepper, the salt
argon2
will generate for me automatically but in case of a pepper, where it's better to integrate it in the flow?Does it make sense, the following implementation:
- To combine the plain password with the pepper
- To calculate a
sha3-512
hash of the peppered password- To run
argon2id
on the hash from the step number 2Or perhaps this flow:
- To run
argon2id
on a plain password- To combine the
argon2id
hash with the pepper- To calculate a
sha3-512
hash based on the step number 2Which of these two strategies do you find better? Or, perhaps, something else?
just add pepper to plain text that u hashing
Welcome to the issues section if it's your first time!
Before creating an issue, please be sure to:
Steps to reproduce
Expected behaviour
Pass a 256bit key as a salt
Actual behaviour
Error: Invalid argument
Environment
Operating system: Windows 10
Node version: 14.16.1
Compiler version: