When using libsodium-net do I not need to generate and store salts?

Question

n.b. I am not a crypto expert (which is why I'm using a library like NaCl).

From what I have read on the subject, the most secure way to store user passwords in a database is to store the hash and the salt used to generate that hash. I decided to use libsodium-net for this purpose, but now I'm left with the question in the subject: do I not need to generate and store salts? I ask because libsodium-net includes these functions:

// this uses the default Strength.Interactive hashing algorithm
var hash = PasswordHash.ScryptHashString(password);
var isValid = PasswordHash.ScryptHashStringVerify(hash, password);

There doesn't appear to be a need to use a salt when either generating or verifying the hash. In fact, there are no overloaded methods of ScryptHashString and ScryptHashStringVerify that accept a salt. I feel like I'm missing something obvious here. Am I? Or does libsodium-net obviate the need for salts?

score 5 · Accepted Answer · answered Mar 08 '16 at 17:28

5

The answer is in the documentation. The string returned from PasswordHash.ScriptHashString(password) contains the salt (and a couple other parameters) so there's no need to store a salt separately.

answered Mar 08 '16 at 17:28

Lex

6,758
2
27
42

3

is correct. You don't need to store the salt nor the other parameters (max memory & max ops). Everything is already stored in the returned string. The salt itself is automatically generated by `ScryptHashString()`. – Frank Denis Mar 13 '16 at 15:56

When using libsodium-net do I not need to generate and store salts?

1 Answers1