> I don't think 16 bytes is necessary even as insurance against the future.
The birthday problem comes into play here.
If you have 22 bits of entropy in your salt, after 2048 users (2^11) you will find two with the same salt, with 50% probability. If they also use the same password, this makes attacking your users much easier.
Don't make it easy for attackers. Use 16 bytes from a CSPRNG. Better yet: Use a password hashing library that takes care of this for you.
If you use a 128-bit (16-byte) salt, you have a 50% chance of a collision after 2^64 passwords.
The birthday problem comes into play here.
If you have 22 bits of entropy in your salt, after 2048 users (2^11) you will find two with the same salt, with 50% probability. If they also use the same password, this makes attacking your users much easier.
Don't make it easy for attackers. Use 16 bytes from a CSPRNG. Better yet: Use a password hashing library that takes care of this for you.
If you use a 128-bit (16-byte) salt, you have a 50% chance of a collision after 2^64 passwords.