I am generating API key similarly to Stripe where my key is {prefix}_{guid}_{suffix}.
- Prefix is a constant
- Guid is the "password" portion of the key
- Suffix is a random 4 character string that will be visible to the user
Should the entire string {prefix}_{guid}_{suffix} be hashed or only {guid}? If only the guid should be hashed, is there any security concern with storing the suffix next to the hash in the database?
I've read through a few blogs but haven't found much that touches on this.
Adding a random prefix and/or suffix to a value before hashing is called salting. It is a recommended practice.
The purpose is to prevent someone from knowing whether, for example, UserA has the same password as UserB, because their hashed values are identical. Hence, you add a cryptographically secure random value prefix/suffix (salt) for each user, then even if they use the same password, their hashed values would always be different.
But in your case, if you already provide a version 4 GUID as a pre-hashed value, it's guaranteed to be unique, so you don't have to add a salt.