UPDATE
Found an answer here: Recommended way of adding a pepper/secret key to password before hashing?
After reading https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords and doing some research I wrote some code that does the following:
- Generate 128 bit Salt using Cryptographically secure pseudorandom number generator
- Give Password and Salt to PBKDF2 implementation
- Store the 32 Byte hash as the password
I would also like to include a private key as part of the process, but I'm not sure where it fits. I've used HMAC (SHA 256) in the past to authenticate a message so I was thinking either:
- Append the private key to the salt and pass the 256 bit result through the algorithm of choice ( PBKDF2 , bCrypt , Argon2)
- Apply a HMAC (SHA 256) password then pass that to the algorithm of choice ( PBKDF2 , bCrypt , Argon2)
- Something else??
I want to make sure I am using the private key properly in the context of password hashing. Any suggestions or comments are greatly appreciated.
Thank you
