consider removing salt

[nvdk]

while this would be a breaking change, it does not seem necessary to add a salt to the password as the bcrypt algorithm already does this itself. As I understand the salt is included in the resulting hash.

Motivation for the removal:

• Removing the application salt limits the amount of configuration that is required to set up this service
• Removing the salts also allows us to simplify the service a tiny bit
• the bcrypt algorithm is limited to 72 bytes of input, anything after is truncated, for longer passwords only a short part of the salt is included anyway

[aatauil]

@nvdk worth looking at this comment aatauil/mu-node-authentication-service#1 (comment) I left it out of the js version as I also thought the bcrypt salt would be enough but apparently there is still a possible vulnerability to rainbow tables

[nvdk]

I don't think that analysis holds for bcrypt as it creates and stores its own salt. I mean for long passwords the input salt won't even be considered for the hash, since only the first 72 bytes count.