The base64 encoding/decoding leaks information about the hash and salt.

I'm closing this right away as "wontfix" because constant-time base64-encoding isn't easily available in all of our supported languages, and the risk is pretty low.

Just wanted to add: If your threat model includes "an attacker might exploit a side channel on base64 encoding" consider using libsodium.