{"id":13413765,"url":"https://github.com/andskur/argon2-hashing","last_synced_at":"2025-10-28T23:10:09.043Z","repository":{"id":100795064,"uuid":"163887421","full_name":"andskur/argon2-hashing","owner":"andskur","description":"A light package for generating and comparing password hashing with argon2 in Go","archived":false,"fork":false,"pushed_at":"2025-05-13T11:48:49.000Z","size":31,"stargazers_count":21,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-13T12:44:53.588Z","etag":null,"topics":["argon2","cryptography","go","password-hashing"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andskur.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-02T20:41:02.000Z","updated_at":"2025-05-13T11:48:45.000Z","dependencies_parsed_at":"2024-01-07T21:54:05.799Z","dependency_job_id":"0a210918-531b-42a5-b2f9-024f9996aea5","html_url":"https://github.com/andskur/argon2-hashing","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/andskur/argon2-hashing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andskur%2Fargon2-hashing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andskur%2Fargon2-hashing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andskur%2Fargon2-hashing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andskur%2Fargon2-hashing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andskur","download_url":"https://codeload.github.com/andskur/argon2-hashing/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andskur%2Fargon2-hashing/sbom","scorecard":{"id":194869,"data":{"date":"2025-08-11","repo":{"name":"github.com/andskur/argon2-hashing","commit":"10898e64d5667cfa0b343b1a07ef7cff708fa069"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 1/23 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 8 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-16T21:38:06.437Z","repository_id":100795064,"created_at":"2025-08-16T21:38:06.437Z","updated_at":"2025-08-16T21:38:06.437Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275348502,"owners_count":25448626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-15T02:00:09.272Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argon2","cryptography","go","password-hashing"],"created_at":"2024-07-30T20:01:48.605Z","updated_at":"2025-09-16T01:58:47.833Z","avatar_url":"https://github.com/andskur.png","language":"Go","readme":"# argon2-hashing\n[![GoDoc](https://godoc.org/github.com/andskur/argon22-hashing?status.svg)](https://pkg.go.dev/github.com/andskur/argon2-hashing?tab=doc)\n[![Build Status](https://travis-ci.org/andskur/argon2-hashing.svg?branch=master)](https://travis-ci.org/andskur/argon2-hashing)\n[![Go Report Card](https://goreportcard.com/badge/github.com/andskur/argon2-hashing)](https://goreportcard.com/report/github.com/andskur/argon2-hashing)\n[![codecov](https://codecov.io/gh/andskur/argon2-hashing/branch/master/graph/badge.svg)](https://codecov.io/gh/andskur/argon2-hashing)\n\n**argon2-hashing** provides a light wrapper around Go's [argon2](https://godoc.org/golang.org/x/crypto/argon2) package.\nArgon2 was the winner of the [Password Hashing](https://password-hashing.net) Competition that makes it easier to securely derive strong keys from weak\ninputs (i.e. user passwords).\n\nWith this library you can:\n* Generate a argon2 derived key with a crytographically secure salt and default parameters.\n* Tune argon2 with you own parameters based of you hardware configuration.\n* Compare a derived key with the possible cleartext equivalent (user password).\n\nCurrently supported only Argon2id function.\n\nThe API closely mirrors with Go's [Bcrypt library](https://godoc.org/golang.org/x/crypto/bcrypt)\nand Alex Edwards [simple-scrypt package](https://github.com/elithrar/simple-scrypt).\n\n## Installation\n\nWith a [Go modules](https://golang.org/doc/code.html):\n\n```sh\ngo get -u github.com/andskur/argon2-hashing\n```\n\n## Example\n\nargon2-hashing doesn't try to re-invent the wheel or do anything \"special\". It\nwraps the `argon2.IDKey` function as thinly as possible, generates a\ncrytographically secure salt for you using Go's `crypto/rand` package, and\nreturns the derived key with the parameters prepended:\n\n```go\npackage main\n\nimport(\n    \"fmt\"\n    \"log\"\n\n    \"github.com/andskur/argon2-hashing\"\n)\n\nfunc main() {\n    // e.g. r.PostFormValue(\"password\")\n    passwordFromForm := \"qwerty123\"\n\n    // Generates a derived key with default params\n    hash, err := argon2.GenerateFromPassword([]byte(passwordFromForm), argon2.DefaultParams)\n    if err != nil {\n        log.Fatal(err)\n    }\n\n    // Print the derived key.\n    fmt.Printf(\"%s\\n\", hash)\n\n    // Uses the parameters from the existing derived key. Return an error if they don't match.\n    err = argon2.CompareHashAndPassword(hash, []byte(passwordFromForm))\n    if err != nil {\n        log.Fatal(err)\n    }\n}\n```\n\n## Argon2 introduction\nThe [Argon2 algorithm](https://tools.ietf.org/html/draft-irtf-cfrg-argon2-04) accepts a number of configurable parameters:\n\n* Memory — The amount of memory used by the algorithm (in [kibibytes](https://en.wikipedia.org/wiki/Kibibyte)).\n* Iterations — The number of iterations (or passes) over the memory.\n* Parallelism — The number of threads (or lanes) used by the algorithm.\n* Salt length — Length of the random salt. [16 bytes is recommended](https://tools.ietf.org/html/draft-irtf-cfrg-argon2-04#section-3.1) for password hashing.\n* Key length — Length of the generated key (or password hash). 16 bytes or more is recommended.\n* The memory and iterations parameters control the computational cost of hashing the password. The higher these figures are, the greater the cost of generating the hash. It also follows that the greater the cost will be for any attacker trying to guess the password.\n\nBut there's a balance that you need to strike. As you increase the cost, the time taken to generate the hash also increases. If you're generating the hash in response to a user action (like signing up or logging in to a website) then you probably want to keep the runtime to less than 500ms to avoid a negative user experience.\n\nIf the Argon2 algorithm is running on a machine with multiple cores, then one way to decrease the runtime without reducing the cost is to increase the parallelism parameter. This controls the number of threads that the work is spread across. There's an important thing to note here though: changing the value of the parallelism parameter changes the output of the algorithm. So — for example — running Argon2 with a parallelism parameter of 2 will result in a different password hash to running it with a parallelism parameter of 4.\n\n### Choosing Parameters\nPicking the right parameters for Argon2 depends heavily on the machine that the algorithm is running on, and you'll probably need to do some experimentation in order to set them appropriately.\n\nThe [recommended process](https://tools.ietf.org/html/draft-irtf-cfrg-argon2-04#section-4) for choosing the parameters can be paraphrased as follows:\n\n1. Set the parallelism and memory parameters to the largest amount you are willing to afford, bearing in mind that you probably don't want to max these out completely unless your machine is dedicated to password hashing.\n2. Increase the number of iterations until you reach your maximum runtime limit (for example, 500ms).\n3. If you're already exceeding the your maximum runtime limit with the number of iterations = 1, then you should reduce the memory parameter.\n\n## Thanks to\n* [Alex Edwards](https://github.com/alexedwards) - For an excellent [article](https://www.alexedwards.net/blog/how-to-hash-and-verify-passwords-with-argon2-in-go), after which I was inspired to develop this package.\n* [Matt Silverlock](https://github.com/elithrar) - For an great and well documented [simple-scrypt](https://github.com/elithrar/simple-scrypt) package which I took for the structural basis.\n\n## Authors\n\n* **Andrey Skurlatov** - [andskur](https://github.com/andskur)\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details","funding_links":[],"categories":["Security","安全","安全领域相关库","Relational Databases"],"sub_categories":["HTTP Clients","HTTP客户端","查询语"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandskur%2Fargon2-hashing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandskur%2Fargon2-hashing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandskur%2Fargon2-hashing/lists"}