=== Exceptions

To securely store password hashes, it is a recommended to rely on
key derivation functions that are computationally intensive. Examples of such
functions are:

* Argon2
* PBKDF2
* Scrypt
* Bcrypt

When they are used for password storage, using a secure, random salt is
required.

However, those functions can also be used for other purposes such as master key
derivation or password-based pre-shared key generation. In those cases, the
implemented cryptographic protocol might require using a fixed salt to derive
keys in a deterministic way. In such cases, using a fixed salt is safe and
accepted.