It looks like you're storing an unsalted hash of the database's password in the plaintext header of the database itself. Is that correct? If so, this is a really really bad idea
>The string produced by crypto_pwhash_str() already includes an algorithm identifier, as well as all the parameters (including the automatically generated salt) that have been used to hash the password.
>The string produced by crypto_pwhash_str() already includes an algorithm identifier, as well as all the parameters (including the automatically generated salt) that have been used to hash the password.
https://libsodium.gitbook.io/doc/password_hashing/default_ph...