Yes it is the perfect excuse to reuse salts because the salt is basically irrelevant.
The crypto library requires a salt so we simply supply one.
Again, we hand chose these algorithms for a reason. We don't want to use a higher level library and lose control. The node/crypto implementation requires a salt so we supply one. It doesn't matter that it never changes or that it is public knowledge.
Actually, I disagree, salts are used to prevent rainbow tables/pre computed KDFs, and it's a standard that's highly recommended. You can store the salt with the database. KeePass uses a random salt.
For example, if an attacker pre computed password, and tried it on another user's machine if they're lucky their password is also password, and the database decrypts. This wouldn't happen if you used salts.
Just because the KDF isn't stored, doesn't mean you can't do rainbow tables.
Also, what's up with this?
I don't think that a hardcoded salt is production ready ...
The salt isn't security critical in our use case because the result of the hash isn't stored.
But that's no excuse for reusing salts.
You might as well not use a salt.
Again, we hand chose these algorithms for a reason. We don't want to use a higher level library and lose control. The node/crypto implementation requires a salt so we supply one. It doesn't matter that it never changes or that it is public knowledge.
Oh okay, that makes sense now. I thought you were using a salt legitimately.
Yeah, it is kinda a strange use case haha
Actually, I disagree, salts are used to prevent rainbow tables/pre computed KDFs, and it's a standard that's highly recommended. You can store the salt with the database. KeePass uses a random salt.
For example, if an attacker pre computed
password, and tried it on another user's machine if they're lucky their password is alsopassword, and the database decrypts. This wouldn't happen if you used salts.Just because the KDF isn't stored, doesn't mean you can't do rainbow tables.
Yup, we added random salts several months back!
Oh. That's great to hear! FYI, Qvault looks nice. Do you think you'll be able to do duel encryption via file(s), or physical security keys?
Yes, that is something we are looking into. First we want to add box-level encryption though.
I've tried searching, but I can't seem to find anything about box-level encryption. What do you mean?