1

Given the following argon2 hash

$argon2id$v=19$m=65536,t=32,p=8$mJmKA5qamzXOPJZYw4wCEUKY$COkMH0RckaZ/3bhYCdCQjLuzoLKxcAmk4TzmHRRgTQ8

How should the hash be stored in a database? From the answers of this question it says you shouldn't store a salt in a database.

But in the above argon2 hash we see the salt is mJmKA5qamzXOPJZYw4wCEUKY. So does this mean only the hash itself, COkMH0RckaZ/3bhYCdCQjLuzoLKxc should be stored in a database? I would assume all of the other information about the hash at the beginning (such as version, v, m, t, and p) wouldn't be stored for security reasons as well?

Zack.B_
  • 11
  • 1
  • 1
    "From the answers of this question it says you shouldn't store a salt in a database." - it does not say this. In fact, the answers say that the salt can be stored together with the hashed password. – Steffen Ullrich Apr 05 '23 at 19:54
  • This answer correctly says "A salt is not meant to be secret". May be the accepted answer confused you, because it contains a statement "don't just give it out to anyone who wants it". This part of the answer means security through obscurity and thus is wrong. Even if somebody asks you for a salt, your can give it out. This will not break security. According to the Kerckhoffs's principle you should expect the the attacker knows the hash and the salt. – mentallurg Apr 05 '23 at 20:52
  • @user253751: " If your design means everyone will have to see the salt..." - How do come to this conclusion? I don't see any relation to my comment. If anything is not clear, please ask, I explain it better. You are trying to assign me your strange idea. Read my comment again. – mentallurg Apr 05 '23 at 23:25
  • 1
    @mentallurg There is no reason to give out the salt unless you have to. That's what the answers say. If you operated a website with password hashes would you give out a downloadable list of usernames and corresponding salts to everyone who wanted it? – user253751 Apr 05 '23 at 23:38
  • @user253751: You change wording and give another meaning to the answer. The answer says "don't just give". There is no reason not to give, if asked. If salt is known, it doesn't make the hash any weaker. – mentallurg Apr 06 '23 at 03:18
  • @mentallurg Do you put APIs in your web apps to allow clients to download salts? – user253751 Apr 06 '23 at 18:01
  • @user253751: API? No, I don't. But if I was asked for a salt, I would tell it. – mentallurg Apr 06 '23 at 21:13
  • @mentallurg what is the salt of the first user in your database? – user253751 Apr 06 '23 at 21:24
  • @user253751: ecceaea5cf49920341c9e546523b48b2. So what? It is used only once. That's why there is no any risk related to it. – mentallurg Apr 06 '23 at 22:10
  • @mentallurg now please tell me the salt of the second user in your database. Do you see why this is a waste of time yet, or should I keep going? – user253751 Apr 06 '23 at 22:23
  • @user253751: No. I don't see anything. You see all salts. So what? They all are different. Do you understand that knowing salt does not give any advantage? – mentallurg Apr 06 '23 at 23:00
  • Let us continue this discussion in chat. – user253751 Apr 06 '23 at 23:07

0 Answers0