Documentation
¶
Overview ¶
API that tries to make it safe(r) to store user's passwords
Index ¶
Constants ¶
This section is empty.
Variables ¶
var CurrentBestDerivationStrategy = builtinStrategies["pbkdf2-sha256-100k"]
provide this to Store() to automatically keep newly generated passwords up-to-date according to current recommendations
var ErrIncorrectPassword = errors.New("incorrect password")
Functions ¶
func BuiltinStrategies ¶
func BuiltinStrategies(id string) (DerivationStrategy, DerivationStrategy)
this works as a StrategyResolver to Verify()
Types ¶
type DerivationStrategy ¶
type StoredPassword ¶
type StoredPassword string
format: $<strategyId>$<salt>$<derived> trying to be somewhat compatible with https://passlib.readthedocs.io/en/stable/modular_crypt_format.html#application-defined-hashes
with the exception that we're storing the cost in the <strategyId> so that we don't have to implement different parsing formats per strategy
func Store ¶
func Store(plaintext string, strategy DerivationStrategy) (StoredPassword, error)
transforms a password into a form that is safe to store in a database, provided that you pass CurrentBestDerivationStrategy as the strategy.
func Verify ¶
func Verify(stored StoredPassword, givenPlaintext string, resolver StrategyResolver) (StoredPassword, error)
1st return: if != "" is the upgraded version of the stored password, if upgraded DerivationStrategy found 2nd return: nil if hash matches and no internal errors occurred. ErrIncorrectPassword if no internal errors but hash doesn't match.
this function is safe from timing attacks
type StrategyResolver ¶
type StrategyResolver func(id string) (found DerivationStrategy, upgrade DerivationStrategy)
both returns MUST NOT refer to same derivation strategy, so upgrade is nil if stored password is already succicient
Source Files