Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/elithrar/simple-scrypt
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑
https://github.com/elithrar/simple-scrypt
go hash password password-hash scrypt
Last synced: about 2 months ago
JSON representation
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑
- Host: GitHub
- URL: https://github.com/elithrar/simple-scrypt
- Owner: elithrar
- License: mit
- Created: 2015-04-14T06:52:21.000Z (about 9 years ago)
- Default Branch: master
- Last Pushed: 2021-04-12T20:33:15.000Z (about 3 years ago)
- Last Synced: 2024-01-31T05:50:32.416Z (5 months ago)
- Topics: go, hash, password, password-hash, scrypt
- Language: Go
- Homepage:
- Size: 42 KB
- Stars: 191
- Watchers: 8
- Forks: 26
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-security - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Encryption)
- awesome-go-extra - simple-scrypt - 04-14T06:52:21Z|2021-04-12T20:33:15Z| (Security / HTTP Clients)
- awesome-go-zh - simple-scrypt
- cybersecurity-golang-security - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Encryption)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-cn - simple-scrypt - scrypt) [![godoc][D]](https://godoc.org/github.com/elithrar/simple-scrypt) (安全 / HTTP客户端)
- fucking-awesome-go - :octocat: simple-scrypt - an scrypt package with a simple, obvious API and automatic cost calibration built-in. :star: 64 :fork_and_knife: 6 (Security / Advanced Console UIs)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-projects - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - in. | 150 | 17 | 1 | (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - an scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / Advanced Console UIs)
- awesome-go-with-framework - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- zero-alloc-awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-cn - simple-scrypt - scrypt) (安全 / HTTP客户端)
- awesome-go-stars - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-cn - simple-scrypt
- awesome-go. - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / Advanced Console UIs)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (<span id="安全-security">安全 Security</span> / <span id="高级控制台用户界面-advanced-console-uis">高级控制台用户界面 Advanced Console UIs</span>)
- awesome-reader - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-cn - simple-scrypt - Scrypt 库,具有简单、易懂的 API,同时具有内置的自动校准功能 (安全 / 高级控制台界面)
- awesome-go-with-stars - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- repo-1316-awesome-go-cn - simple-scrypt - scrypt) (安全 / HTTP客户端)
- repo-1211-awesome-go-cn - simple-scrypt - scrypt) (安全 / HTTP客户端)
- awesome-Char - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- Go-awesome - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-cn - simple-scrypt - in.) (安全 / Advanced Console UIs)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / Advanced Console UIs)
- awesome-go - simple-scrypt - an scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / Advanced Console UIs)
- go-awesome-cn-star - simple-scrypt
- awesome-go-handwritten - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt 庫,具有簡單、易懂的 API,同時具有內置的自動校準功能 (安全 / 高級控制台界面)
- awesome-go - simple-scrypt - A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go. - ★ 141 (Security)
- awesome-go2 - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / Advanced Console UIs)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. - :arrow_down:22 - :star:72 (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - an scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / Advanced Console UIs)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go-zh - simple-scrypt - scrypt) (安全 / HTTP客户端)
- awesome-go-cn - simple-scrypt
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- awesome-go - simple-scrypt - Scrypt package with a simple, obvious API and automatic cost calibration built-in. (Security / HTTP Clients)
- my-stars - elithrar/simple-scrypt - A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑 (Go)
README
# simple-scrypt
[![GoDoc](https://godoc.org/github.com/elithrar/simple-scrypt?status.svg)](https://godoc.org/github.com/elithrar/simple-scrypt) [![Build Status](https://travis-ci.org/elithrar/simple-scrypt.svg?branch=master)](https://travis-ci.org/elithrar/simple-scrypt)simple-scrypt provides a convenience wrapper around Go's existing
[scrypt](http://golang.org/x/crypto/scrypt) package that makes it easier to
securely derive strong keys ("hash user passwords"). This library allows you to:* Generate a scrypt derived key with a crytographically secure salt and sane
default parameters for N, r and p.
* Upgrade the parameters used to generate keys as hardware improves by storing
them with the derived key (the scrypt spec. doesn't allow for this by
default).
* Provide your own parameters (if you wish to).The API closely mirrors Go's [bcrypt](https://golang.org/x/crypto/bcrypt)
library in an effort to make it easy to migrate—and because it's an easy to grok
API.## Installation
With a [working Go toolchain](https://golang.org/doc/code.html):
```sh
go get -u github.com/elithrar/simple-scrypt
```## Example
simple-scrypt doesn't try to re-invent the wheel or do anything "special". It
wraps the `scrypt.Key` function as thinly as possible, generates a
crytographically secure salt for you using Go's `crypto/rand` package, and
returns the derived key with the parameters prepended:```go
package mainimport(
"fmt"
"log""github.com/elithrar/simple-scrypt"
)func main() {
// e.g. r.PostFormValue("password")
passwordFromForm := "prew8fid9hick6c"// Generates a derived key of the form "N$r$p$salt$dk" where N, r and p are defined as per
// Colin Percival's scrypt paper: http://www.tarsnap.com/scrypt/scrypt.pdf
// scrypt.Defaults (N=16384, r=8, p=1) makes it easy to provide these parameters, and
// (should you wish) provide your own values via the scrypt.Params type.
hash, err := scrypt.GenerateFromPassword([]byte(passwordFromForm), scrypt.DefaultParams)
if err != nil {
log.Fatal(err)
}// Print the derived key with its parameters prepended.
fmt.Printf("%s\n", hash)// Uses the parameters from the existing derived key. Return an error if they don't match.
err := scrypt.CompareHashAndPassword(hash, []byte(passwordFromForm))
if err != nil {
log.Fatal(err)
}
}
```## Upgrading Parameters
Upgrading derived keys from a set of parameters to a "stronger" set of parameters
as hardware improves, or as you scale (and move your auth process to separate
hardware), can be pretty useful. Here's how to do it with simple-scrypt:```go
func main() {
// SCENE: We've successfully authenticated a user, compared their submitted
// (cleartext) password against the derived key stored in our database, and
// now want to upgrade the parameters (more rounds, more parallelism) to
// reflect some shiny new hardware we just purchased. As the user is logging
// in, we can retrieve the parameters used to generate their key, and if
// they don't match our "new" parameters, we can re-generate the key while
// we still have the cleartext password in memory
// (e.g. before the HTTP request ends).
current, err := scrypt.Cost(hash)
if err != nil {
log.Fatal(err)
}// Now to check them against our own Params struct (e.g. using reflect.DeepEquals)
// and determine whether we want to generate a new key with our "upgraded" parameters.
slower := scrypt.Params{
N: 32768,
R: 8,
P: 2,
SaltLen: 16,
DKLen: 32,
}if !reflect.DeepEqual(current, slower) {
// Re-generate the key with the slower parameters
// here using scrypt.GenerateFromPassword
}
}
```## Automatically Determining Parameters
Thanks to the work by [tgulacsi](https://github.com/tgulacsi), you can have simple-scrypt
automatically determine the optimal parameters for you (time vs. memory). You should run this once
on program startup, as calibrating parameters can be an expensive operation.```go
var params scrypt.Paramsfunc main() {
var err error
// 500ms, 64MB of RAM per hash.
params, err = scrypt.Calibrate(500*time.Millisecond, 64, Params{})
if err != nil {
return nil, err
}...
}func RegisterUserHandler(w http.ResponseWriter, r *http.Request) {
err := r.ParseForm()
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}// Make sure you validate: not empty, not too long, etc.
email := r.PostFormValue("email")
pass := r.PostFormValue("password")// Use our calibrated parameters
hash, err := scrypt.GenerateFromPassword([]byte(pass), params)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}// Save to DB, etc.
}
```Be aware that increasing these, whilst making it harder to brute-force the resulting hash, also
increases the risk of a denial-of-service attack against your server. A surge in authenticate
attempts (even if legitimate!) could consume all available resources.## License
MIT Licensed. See LICENSE file for details.