goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2 designed to be compatible with Passlib for Python and Argon2 PHP. Argon2 was the winner of the most recent Password Hashing Competition. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt.

Overview

goArgonPass

GoDoc codecov Go Report Card CodeFactor

Travis:

Travis Build Status

Drone:

Drone Build Status

All hashing and crypto is done by Go library packages. This is only a utility package to make the process described easier.

Description

goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2. Argon2 was the winner of the most recent Password Hashing Competition and doesn't suffer from issues that Bcrypt has such as truncating input over 72 characters. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt. The string input/output format was designed to be compatible with Passlib for Python and Argon2 PHP, and you should have full compatibility using the argon2i function, but will not be able to use argon2id, which is the default for this pacakge until those libraries are updated to support it. I encourage you to find the parameters that work best for your application, but the defaults are resonable for an interactive use such as a web application login.

The default Argon2 function is Argon2id, which is a hybrid version of Argon2 combining Argon2i and Argon2d. Argon2id is side-channel resistant and provides better brute- force cost savings due to time-memory tradeoffs than Argon2i, but Argon2i is still plenty secure.

IETF Recommendation is:

Argon2id variant with t=1 and maximum available memory is recommended as a default setting for all environments. This setting is secure against side-channel attacks and maximizes adversarial costs on dedicated bruteforce hardware.

Get Started

go get github.com/dwin/goArgonPass

See example/example.go:

import (
    "fmt"
    "os"

    argonpass "github.com/dwin/goArgonPass"
)

func main() {
    // Obtain user password from form or other input
    userPassInput := "password"

    // Hash with Default Parameters
    hash, err := argonpass.Hash(userPassInput, nil)
    if err != nil {
        // Handle Error
        os.Exit(1)
    }
    fmt.Println("Hash Output: ", hash)
    // Verify Hash
    err = argonpass.Verify(userPassInput, hash)
    if err != nil {
        fmt.Println("Hash verification error: ", err)
    }
    fmt.Println("Hash verified")
}

Output Format

$ argon2id$v=19$m=65536,t=1,p=4$in2Oi1x57p0=$FopwSR12aLJ9OGPw1rKU5K5osAOGxOJzxC/shk+i850=

$ argon2{function(i/id)}$v={version}$m={memory},t={time},p={parallelism}${salt(base64)}${digest(base64)}

Other Notes

Custom Parameters

Set Custom Parameters by passing ArgonParams{} to Hash().

Parameter Type Default Valid Range
Time uint32 1 >= 1
Memory uint32 65536 >= 1024
Parallelism uint8 4 1-64
OutputSize uint32 16 16-64
Function ArgonVariant ArgonVariant2id ArgonVariant2id - ArgonVariant2i
SaltSize uint8 16 16-64
type ArgonParams struct {
    Time        uint32
    Memory      uint32
    Parallelism uint8
    OutputSize  uint32
    Function    ArgonVariant
    SaltSize    uint8
}
Issues
  • Add ArgonVariant Type

    Add ArgonVariant Type

    Add type checking around the Function parameter by creating an ArgonVariant type alias and two constants that contain valid values.

    Leaving this as a raw string makes the package harder to use, and invites invalid values.

    opened by andrewmostello 2
  • Susceptible to timing attacks

    Susceptible to timing attacks

    I ended up using "golang.org/x/crypto" directly in my own project, but just as a heads up, this implementation currently uses a time-insecure hash comparison because it early outs when it finds a mismatching byte here: https://github.com/dwin/goArgonPass/blob/master/password.go#L142

    You can read about timing attacks here: https://codahale.com/a-lesson-in-timing-attacks/ but the core issue is that a determined attacker could measure the difference in execution time between a comparisonHash that has more vs fewer initial bytes in common with decodedHash.

    Go's crypto library provides a time-secure comparison function you can use instead: https://golang.org/pkg/crypto/subtle/#ConstantTimeCompare

    Full disclosure: I am not a cryptographer, nor do I know the specifics of how Argon2 works.

    opened by jceipek 1
  • when generating salt, return error if any instead of just logging it

    when generating salt, return error if any instead of just logging it

    Ignoring errors when generating the salt is bad; presently if any errors occurs it will use an empty salt.

    I decided not to create a specific error for it because it would mask the original error, and it doesn't seem to be an error that the client could check for and do something about it.

    I've also changed the salt generation to the slightly more idiomatic rand.Read.

    opened by conradoplg 0
Releases(v1.2.1)
Owner
Darwin
Golang developer - Blog: https://thesecondsposts.com
Darwin
PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

PHP Functions for Golang - phpfuncs PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. Y

Serkan Algur 51 Aug 5, 2022
:key: Idiotproof golang password validation library inspired by Python's passlib

passlib for go Python's passlib is quite an amazing library. I'm not sure there's a password library in existence with more thought put into it, or wi

Hugo Landau 268 Jul 24, 2022
A light package for generating and comparing password hashing with argon2 in Go

argon2-hashing argon2-hashing provides a light wrapper around Go's argon2 package. Argon2 was the winner of the Password Hashing Competition that make

Andrey Skurlatov 17 Mar 29, 2022
Argon2 password hashing package for go with constant time hash comparison

argon2pw Argon2 password hashing package with constant time hash comparison Preface: Argon2 was selected as the winner of the Password Hashing Competi

Raja Bhatia 88 Jun 26, 2022
Argon2 password hashing for Golang

Argon2 This is simple pure Golang implementation for password hash using Argon2. Usage package main import ( "fmt" "github.com/prastuvwxyz/argon2"

Dwi Agung Prastya 2 Dec 6, 2021
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑

simple-scrypt simple-scrypt provides a convenience wrapper around Go's existing scrypt package that makes it easier to securely derive strong keys ("h

Matt Silverlock 180 Jul 23, 2022
Implementations of the Coconut signing scheme, cross-compatible between Rust and Go.

Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho

Nym 20 Jul 24, 2022
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.

SerpScan Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line. Table

Alaa Abdulridha 50 Jul 9, 2022
Libdns-exoscale - A template for developers to use when creating new libdns provider implementations

DEVELOPER INSTRUCTIONS: This repo is a template for developers to use when creat

Dieter Wimberger 0 Jan 18, 2022
Allows you to replace a secret in a file using secrets manager

secrets inserter Allows you to replace a secret in a file using secrets manager. ::SECRET:secret-name:SECRET:: will be replaced with your secret-name

null 0 Dec 12, 2021
An API for hashing password in PostgreSQL with Golang

hashing-password An API for hashing password in PostgreSQL with Golang Using PostgreSQL to store Encrypted string (can be passwords ideally) using Sal

Aly Ragab 4 Feb 12, 2022
extension of SMx crypto support for go standard lib

Crypto Extension support of China crypto standards for go lib. You can simply copy and replace them to [your_go_src_path]/crypto Use as vendor is alte

null 4 Dec 3, 2021
ID hashing and Obfuscation using Knuth's Algorithm

ID Obfuscation/Hashing Transformer for Go There are many times when you want to generate obfuscated ids. This package utilizes Knuth's Hashing Algorit

pj 318 Aug 14, 2022
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Fabien Potencier 931 Aug 12, 2022
Consistent hashing hashring implementation.

hashring Consistent hashing hashring implementation. Overview This is an implementation of the consistent hashing hashring data structure. In general,

Sergey Kamardin 29 Apr 24, 2022
The most complete TigoPesa API Wrapper written in golang with zero external dependencies. Supports Push Pay, C2B and B2C.

tigopesa tigopesa is open source fully compliant tigo pesa client written in golang contents usage example projects links contributors sponsors usage

TECHCRAFT TECHNOLOGIES LIMITED 6 Jan 9, 2022
🍷 Find exploits and vulnerabilities in the most important databases.

?? Dionisio Dionisio is a tool that can automate the search for exploits and vulnerabilities. Written in Go and open source, Dionisio has an advanced

Y G Λ O 0 Mar 14, 2022
Coraza Server is the most ambitious implementation of Coraza WAF

Coraza Server is the most ambitious implementation of Coraza WAF, it's designed to integrate with systems written in different languages, like C, using multiple protocols like SPOA, REST and GRPC.

Juan Pablo Tosso 9 Mar 16, 2022