Argon2(password, email+name+birth date) or Argon2(password, email+name+birth date+password) ?
There is no notable difference in security, thus keep it simple. What matters most to security are (somewhat in decreasing order)
- The integrity of the execution environment (if the inputs including password can be monitored, forget about security)
- The quality of the password (
123456 can't be made safe). Calling it a passphrase in user interactions (as in PGP) is cheap, and I believe helps more often than not.
- parameters for the workfactor (if in doubt, for password use, see recommendations)
- $t$ (controlling number of passes)
- $m$ (controlling memory size)
- $p$ (controlling degree of parallelism)
- the uniqueness (and to some degree unpredictability) of the salt
- the secrecy of $K$ (secret value aka pepper) if used
- the Argon2 variant if side channels are an issue (Argon2id should be fine in practice).
I'm going to use as salt: email+name+date of birth
Beware that name and date of birth are often considered confidential (as well as email sometime), and unless they are supplied at each use they will need to be stored. The standard thing is a random salt, and some libraries packaging Argon2 for generation and verification of password tokens won't allow another option.
What format should I pass the salt? Hexadecimal?
Salt/nonce $S$ is defined as a bytestring in Argon2, thus I see no point in doubling the size by going hex unless the library used to access Argon2 has some limitation. Again, some libraries handle the salt, and store it into the password token (typically with some text encoding).
