README
¶
Passlock
Slightly more secure than bcrypt alone. Consider this an alternative to "peppering".
Why?
- Bcrypt cuts off anything longer than 72 characters.
- Some implementations (not Go's however) get freaked out by
NULbytes.
They get freaked out by
NULbytes? Who cares?
Some people don't think bcrypt is enough, so they'll "pepper" the user's password by keyed-hashing it before bcrypting it. This is problematic because the hash function can produce NUL bytes. This can be solved by base64 (or hex even) encoding the hash output (which is what I do in this lib), but there's still the issue of having to get user's to reset their password if you want to change the key for the hash.
Usage
package main
import "github.com/bentranter/passlock"
func main() {
// Your plaintext password
password := []byte("password")
// Get a key
key := passlock.NewEncryptionKey()
// Store the password
encryptedPassword, err := passlock.GenerateFromPassword(password, passlock.DefaultCost, key)
if err != nil {
println(err)
}
// Retrieve the password
err = passlock.CompareHashAndPassword(encryptedPassword, password, key)
if err != nil {
println(err)
return
}
// We're going to rotate keys -- let's start by making a new key
newKey := passlock.NewEncryptionKey()
// Rotate the keys
newEncryptedPassword, err := passlock.RotateKey(key, newKey, encryptedPassword)
if err != nil {
println(err)
return
}
// See if that password matches with the new key
err = passlock.CompareHashAndPassword(newEncryptedPassword, password, newKey)
if err != nil {
println(err)
return
}
println("Passwords matched!")
// Output: Passwords matched!
}
License
MIT. See the license file for more info.
Inspired by password_lock.
Encryption code taken from cryptopasta.
Documentation
¶
Overview ¶
Package passlock stores your passwords a tiny bit more safely than bcrypt alone.
Example ¶
// Your plaintext password
password := []byte("password")
// Get a key
key := NewEncryptionKey()
// Store the password
encryptedPassword, err := GenerateFromPassword(password, DefaultCost, key)
if err != nil {
fmt.Println(err)
}
// Retrieve the password
err = CompareHashAndPassword(encryptedPassword, password, key)
if err != nil {
fmt.Println(err)
return
}
// We're going to rotate keys -- let's start by making a new key
newKey := NewEncryptionKey()
// Rotate the keys
newEncryptedPassword, err := RotateKey(key, newKey, encryptedPassword)
if err != nil {
fmt.Println(err)
return
}
// See if that password matches with the new key
err = CompareHashAndPassword(newEncryptedPassword, password, newKey)
if err != nil {
fmt.Println(err)
return
}
fmt.Println("Passwords matched!")
Output: Passwords matched!
Index ¶
Examples ¶
Constants ¶
const DefaultCost = 14
DefaultCost is the minimum work factor for bcrypt.
Variables ¶
This section is empty.
Functions ¶
func CompareHashAndPassword ¶
CompareHashAndPassword compares a hashed password to a plaintext password. It will return nil if the passwords match, and an error otherwise.
This package wraps all the errors exported by the bcrypt package, so you won't need to import that package to compare errors.
func GenerateFromPassword ¶
GenerateFromPassword hashes and salts a password from the given plaintext password and HMAC key.
func NewEncryptionKey ¶
func NewEncryptionKey() *[32]byte
NewEncryptionKey generates a random 256-bit key for Encrypt() and Decrypt(). It panics if the source of randomness fails.
Types ¶
This section is empty.
Source Files
Directories