https://github.com/dchest/passwordhash

Go package for safe password hashing and comparison. (THIS PACKAGE IS DEPRECATED! USE bcrypt OR scrypt FROM go.crypto)
https://github.com/dchest/passwordhash

Last synced: about 1 year ago
JSON representation

Go package for safe password hashing and comparison. (THIS PACKAGE IS DEPRECATED! USE bcrypt OR scrypt FROM go.crypto)

• Host: GitHub
• URL: https://github.com/dchest/passwordhash
• Owner: dchest
• License: mit
• Created: 2011-04-03T20:42:41.000Z (about 15 years ago)
• Default Branch: master
• Last Pushed: 2013-05-11T11:43:11.000Z (about 13 years ago)
• Last Synced: 2025-04-11T04:36:16.764Z (about 1 year ago)
• Language: Go
• Homepage:
• Size: 117 KB
• Stars: 8
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
WARNING

=======

**This package is deprecated! Do not use for new projects.**

Instead of it, use scrypt or bcrypt from the official go.crypto repository:

* https://code.google.com/p/go/source/browse/scrypt/?repo=crypto

* https://code.google.com/p/go/source/browse/bcrypt/?repo=crypto

**Drawbacks of this package are:**

1. Deriving 64-byte output from HMAC-SHA256-PBKDF2 allows for 2x speedup of attacks

  (PBKDF2 takes twice as long to derive 64 bytes, but attackers only need to

  derive 32 bytes to compare matches).

2. Default number of iterations (5000) is too low for most uses.

3. Currenly Go's SHA256 implementation is too slow.

If you use this package, but do not use full 64-byte output for any purposes

other than what this package provides, please switch import to:

	import "github.com/dchest/passwordhash/fixed/passwordhash"

The "fixed" version uses only the first 32 bytes of hash for comparison to

avoid the speedup attack, and the default number of iterations is increased

to 100000.