goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2 designed to be compatible with Passlib for Python and Argon2 PHP. Argon2 was the winner of the most recent Password Hashing Competition. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt.

Overview

goArgonPass

GoDoc codecov Go Report Card CodeFactor

Travis:

Travis Build Status

Drone:

Drone Build Status

All hashing and crypto is done by Go library packages. This is only a utility package to make the process described easier.

Description

goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2. Argon2 was the winner of the most recent Password Hashing Competition and doesn't suffer from issues that Bcrypt has such as truncating input over 72 characters. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt. The string input/output format was designed to be compatible with Passlib for Python and Argon2 PHP, and you should have full compatibility using the argon2i function, but will not be able to use argon2id, which is the default for this pacakge until those libraries are updated to support it. I encourage you to find the parameters that work best for your application, but the defaults are resonable for an interactive use such as a web application login.

The default Argon2 function is Argon2id, which is a hybrid version of Argon2 combining Argon2i and Argon2d. Argon2id is side-channel resistant and provides better brute- force cost savings due to time-memory tradeoffs than Argon2i, but Argon2i is still plenty secure.

IETF Recommendation is:

Argon2id variant with t=1 and maximum available memory is recommended as a default setting for all environments. This setting is secure against side-channel attacks and maximizes adversarial costs on dedicated bruteforce hardware.

Get Started

go get github.com/dwin/goArgonPass

See example/example.go:

import (
    "fmt"
    "os"

    argonpass "github.com/dwin/goArgonPass"
)

func main() {
    // Obtain user password from form or other input
    userPassInput := "password"

    // Hash with Default Parameters
    hash, err := argonpass.Hash(userPassInput, nil)
    if err != nil {
        // Handle Error
        os.Exit(1)
    }
    fmt.Println("Hash Output: ", hash)
    // Verify Hash
    err = argonpass.Verify(userPassInput, hash)
    if err != nil {
        fmt.Println("Hash verification error: ", err)
    }
    fmt.Println("Hash verified")
}

Output Format

$ argon2id$v=19$m=65536,t=1,p=4$in2Oi1x57p0=$FopwSR12aLJ9OGPw1rKU5K5osAOGxOJzxC/shk+i850=

$ argon2{function(i/id)}$v={version}$m={memory},t={time},p={parallelism}${salt(base64)}${digest(base64)}

Other Notes

Custom Parameters

Set Custom Parameters by passing ArgonParams{} to Hash().

Parameter Type Default Valid Range
Time uint32 1 >= 1
Memory uint32 65536 >= 1024
Parallelism uint8 4 1-64
OutputSize uint32 16 16-64
Function ArgonVariant ArgonVariant2id ArgonVariant2id - ArgonVariant2i
SaltSize uint8 16 16-64
type ArgonParams struct {
    Time        uint32
    Memory      uint32
    Parallelism uint8
    OutputSize  uint32
    Function    ArgonVariant
    SaltSize    uint8
}
Issues
  • Add ArgonVariant Type

    Add ArgonVariant Type

    Add type checking around the Function parameter by creating an ArgonVariant type alias and two constants that contain valid values.

    Leaving this as a raw string makes the package harder to use, and invites invalid values.

    opened by andrewmostello 2
  • Susceptible to timing attacks

    Susceptible to timing attacks

    I ended up using "golang.org/x/crypto" directly in my own project, but just as a heads up, this implementation currently uses a time-insecure hash comparison because it early outs when it finds a mismatching byte here: https://github.com/dwin/goArgonPass/blob/master/password.go#L142

    You can read about timing attacks here: https://codahale.com/a-lesson-in-timing-attacks/ but the core issue is that a determined attacker could measure the difference in execution time between a comparisonHash that has more vs fewer initial bytes in common with decodedHash.

    Go's crypto library provides a time-secure comparison function you can use instead: https://golang.org/pkg/crypto/subtle/#ConstantTimeCompare

    Full disclosure: I am not a cryptographer, nor do I know the specifics of how Argon2 works.

    opened by jceipek 1
  • package improvements

    package improvements

    enhancement 
    opened by dwin 1
  • when generating salt, return error if any instead of just logging it

    when generating salt, return error if any instead of just logging it

    Ignoring errors when generating the salt is bad; presently if any errors occurs it will use an empty salt.

    I decided not to create a specific error for it because it would mask the original error, and it doesn't seem to be an error that the client could check for and do something about it.

    I've also changed the salt generation to the slightly more idiomatic rand.Read.

    opened by conradoplg 0
  • Create go.yml Action

    Create go.yml Action

    opened by dwin 0
  • #6 ci improvement

    #6 ci improvement

    opened by dwin 0
  • Need CI Improvement

    Need CI Improvement

    Update CI and testing process

    opened by dwin 0
Releases(v1.2.1)
Owner
Darwin
Golang developer - Blog: https://thesecondsposts.com
Darwin
Hashing algorithms simplified (supports Argon2, Bcrypt, Scrypt, PBKDF2, Chacha20poly1305 and more in the future)

PHC Crypto Inspired by Upash, also implementing PHC string format Usage Currently there are two options of using this package: Import all Import speci

Reinaldy Rafli 15 Oct 6, 2021
:key: Idiotproof golang password validation library inspired by Python's passlib

passlib for go Python's passlib is quite an amazing library. I'm not sure there's a password library in existence with more thought put into it, or wi

Hugo Landau 253 Sep 28, 2021
A light package for generating and comparing password hashing with argon2 in Go

argon2-hashing argon2-hashing provides a light wrapper around Go's argon2 package. Argon2 was the winner of the Password Hashing Competition that make

Andrey Skurlatov 14 Sep 14, 2021
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑

simple-scrypt simple-scrypt provides a convenience wrapper around Go's existing scrypt package that makes it easier to securely derive strong keys ("h

Matt Silverlock 172 Sep 26, 2021
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 6.4k Oct 17, 2021
Cossack Labs 807 Oct 15, 2021
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 10.9k Oct 24, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.4k Oct 22, 2021
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why?

Ryan D'Amour 95 Sep 2, 2021
Argon2 password hashing package for go with constant time hash comparison

argon2pw Argon2 password hashing package with constant time hash comparison Preface: Argon2 was selected as the winner of the Password Hashing Competi

Raja Bhatia 87 Sep 16, 2021
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.

SerpScan Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line. Table

Alaa Abdulridha 44 Oct 5, 2021
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

Easy and Powerful TLS Automation The same library used by the Caddy Web Server Caddy's automagic TLS features—now for your own Go programs—in one powe

Caddy 3.8k Oct 21, 2021
Go package to embed the Mozilla Included CA Certificate List

rootcerts Package rootcerts provides an embedded copy of the Mozilla Included CA Certificate List, more specifically the PEM of Root Certificates in M

Lucas Bremgartner 55 Oct 15, 2021
一款适用于红蓝对抗中的蜜罐和钓鱼系统

goblin 钓鱼演练工具 [English Readme Click Me] goblin 是一款适用于红蓝对抗的钓鱼演练工具。通过反向代理,可以在不影响用户操作的情况下无感知的获取用户的信息,或者诱导用户操作。也可以通过使用代理方式达到隐藏服务端的目的。内置插件,通过简单的配置,快速调整网页内容

null 583 Oct 24, 2021
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Sonatype Community 328 Oct 21, 2021
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Fabien Potencier 720 Oct 14, 2021
Pure Go implementation of the NaCL set of API's

go-nacl This is a pure Go implementation of the API's available in NaCL: https://nacl.cr.yp.to. Compared with the implementation in golang.org/x/crypt

Kevin Burke 510 Sep 26, 2021
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox ?? ?? DalFox is a fast, powerful parameter analysis and XSS scanner, bas

HAHWUL 1.4k Oct 23, 2021