README
¶
pass 
A password checking package based on Python's passlib, an amazing library. There is no password library with more thought put into it, or with more support for obscure password formats.
Currently, it supports:
- Argon2i
- scrypt-sha256
- sha512-crypt
- sha256-crypt
- bcrypt
- passlib's bcrypt-sha256 variant
- pbkdf2-sha512 (in passlib format)
- pbkdf2-sha256 (in passlib format)
- pbkdf2-sha1 (in passlib format)
By default, it will hash using scrypt-sha256 and verify existing hashes using any of these schemes.
Example Usage
There is a default context for ease of use.
Most people only need to use the Hash and Verify functions:
// Hash gets the password in UTF-8 format and hashes it.
func Hash(password string) (hash string, err error)
// Verify verifies password in UTF-8 format using previously obtained hash.
// Returns an error if verification fails.
// Also returns updated password hash, if the provided hash is out of date.
func Verify(password string, hash string) (newHash string, err error)
import "gopkg.in/pchchv/pass"
func Register() {
(...)
var password string // get a (UTF-8, plaintext) password from somewhere
hash, err := pass.Hash(password)
if err != nil {
// error handling...
}
(store hash in database, etc.)
}
func CheckPassword(password string, hash string) bool {
newHash, err := pass.Verify(password, hash)
if err != nil {
// incorrect password, malformed hash, etc.
// error handling...
}
if newHash != "" {
// According to its policy,
// the context decided that the hash that was used
// to validate the password should be changed.
// It updated the hash using the verified password.
(store newHash in database, replacing old hash)
}
return true
}
scrypt Modular Crypt Format
Scrypt does not have an existing modular crypto-format standard. The format used in this library is as follows:
$s2$N$r$p$salt$hash
N, r and p are the corresponding complexity parameters for encryption in the form of positive decimal integers.
Documentation
¶
Overview ¶
In most cases only the Hash and Verify functions can be used after initialization, using default contexts and reasonable default values.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // Default schemes, the most preferred ones first. // The first scheme will be used to hash passwords, // and any of the schemes can be used to validate existing passwords. // The contents of this value may change in future releases. // // If you want to change this value, set DefaultSchemes to // a slice of the scheme.Scheme array of your construction, // rather than changing the array that the slice points to. // // See the UseDefaults function for more information on how the default schema list is defined. // The DefaultSchemes value will not change. // You need to call UseDefaults to allow your application to switch to newer hash schemes // (either set DefaultSchemes manually, or create a custom context with its own set of schemes). DefaultSchemes []scheme.Scheme )
Functions ¶
func Hash ¶
Hashes a UTF-8 plaintext password using the default context and produces a password hash. Chooses the preferred password hashing scheme based on the configured policy. The default policy is sensible.
func NeedsUpdate ¶
Uses the default context to determine whether a stub or hash needs updating.
func UseDefaults ¶
func UseDefaults()
func Verify ¶
Verifies a UTF-8 plaintext password using a previously derived password hash and the default context. Returns nil err only if the password is valid. If the hash is determined to be deprecated based on policy, and the password is valid, the password is hashed using the preferred password hashing scheme and returned in newHash. You should use this to upgrade any stored password hash in your database. newHash is empty if the password was invalid or no upgrade is required. You should treat any non-nil err as a password verification error.
func VerifyNoUpgrade ¶
Verify, but never upgrades.
Types ¶
type Context ¶
type Context struct {
// Slices the schemes to use, the most preferred ones first.
// If uninitialized, the default schema set will be used.
// A hash update will be issued every time a password is
// validated using a scheme that is not the first in this slice.
Schemes []scheme.Scheme
}
Context is a password hashing context that uses a given set of schemes to hash and validate passwords.
var DefaultContext Context
The default context, which uses sensible defaults. Most users should not reconfigure this.
func (*Context) Hash ¶
Hashes a UTF-8 plaintext password using the context and produces a password hash. If stub is "", one is generated automaticaly for the preferred password hashing scheme; you should specify stub as "" in almost all cases. The provided or randomly generated stub is used to deterministically hash the password. The returned hash is in modular crypt format. If the context has not been specifically configured, a sensible default policy is used. See the fields of Context.
func (*Context) NeedsUpdate ¶
Determines whether a stub or hash needs updating according to the policy of the context.
func (*Context) Verify ¶
Verifies a UTF-8 plaintext password using a previously derived password hash and the default context. Returns nil err only if the password is valid. If the hash is determined to be deprecated based on the context policy, and the password is valid, the password is hashed using the preferred password hashing scheme and returned in newHash. You should use this to upgrade any stored password hash in your database. newHash is empty if the password was not valid or if no upgrade is required. You should treat any non-nil err as a password verification error.
func (*Context) VerifyNoUpgrade ¶
Like Verify, but does not hash an upgrade password when upgrade is required.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
hash
|
|
|
argon2
Package argon2 implements the argon2 password hashing mechanism, wrapped in the argon2 encoded format.
|
Package argon2 implements the argon2 password hashing mechanism, wrapped in the argon2 encoded format. |
|
argon2/raw
Package raw provides a raw implementation of the modular-crypt-wrapped Argon2i primitive.
|
Package raw provides a raw implementation of the modular-crypt-wrapped Argon2i primitive. |
|
bcrypt
The bcrypt package implements the bcrypt password hashing mechanism.
|
The bcrypt package implements the bcrypt password hashing mechanism. |
|
bcryptsha256
bcryptsha256 package implements bcrypt with a SHA256 prehash in a format compatible with the equivalent bcrypt-sha256 scheme from Python passlib.
|
bcryptsha256 package implements bcrypt with a SHA256 prehash in a format compatible with the equivalent bcrypt-sha256 scheme from Python passlib. |
|
pbkdf2
Package pbkdf2 implements a modular crypt format for PBKDF2-SHA1, PBKDF2-SHA256 and PBKDF-SHA512.
|
Package pbkdf2 implements a modular crypt format for PBKDF2-SHA1, PBKDF2-SHA256 and PBKDF-SHA512. |
|
scrypt
Package scrypt implements the scrypt password hashing mechanism, wrapped in the modular crypt format.
|
Package scrypt implements the scrypt password hashing mechanism, wrapped in the modular crypt format. |
|
scrypt/raw
Package raw provides a raw implementation of the modular-crypt-wrapped scrypt primitive.
|
Package raw provides a raw implementation of the modular-crypt-wrapped scrypt primitive. |
|
sha2
Package sha2crypt implements sha256-crypt and sha512-crypt.
|
Package sha2crypt implements sha256-crypt and sha512-crypt. |
|
sha2/raw
Raw package provides a raw implementation of the sha256-crypt and sha512-crypt primitives.
|
Raw package provides a raw implementation of the sha256-crypt and sha512-crypt primitives. |
|
The scheme package contains an abstract description of the Scheme interface and additional error definitions.
|
The scheme package contains an abstract description of the Scheme interface and additional error definitions. |