The current concatenation of the password and salt means you can shift bytes between the two parameters and get the same output, which should not be possible.
The easiest way to fix this is to append the lengths. Technically, one length will do but both are normally included in practice (e.g., in AEAD schemes).
The current concatenation of the password and salt means you can shift bytes between the two parameters and get the same output, which should not be possible.
The easiest way to fix this is to append the lengths. Technically, one length will do but both are normally included in practice (e.g., in AEAD schemes).