• Stars
    star
    20
  • Rank 1,121,974 (Top 23 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 6 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A light package for generating and comparing password hashing with argon2 in Go

argon2-hashing

GoDoc Build Status Go Report Card codecov

argon2-hashing provides a light wrapper around Go's argon2 package. Argon2 was the winner of the Password Hashing Competition that makes it easier to securely derive strong keys from weak inputs (i.e. user passwords).

With this library you can:

  • Generate a argon2 derived key with a crytographically secure salt and default parameters.
  • Tune argon2 with you own parameters based of you hardware configuration.
  • Compare a derived key with the possible cleartext equivalent (user password).

Currently supported only Argon2id function.

The API closely mirrors with Go's Bcrypt library and Alex Edwards simple-scrypt package.

Installation

With a Go modules:

go get -u github.com/andskur/argon2-hashing

Example

argon2-hashing doesn't try to re-invent the wheel or do anything "special". It wraps the argon2.IDKey function as thinly as possible, generates a crytographically secure salt for you using Go's crypto/rand package, and returns the derived key with the parameters prepended:

package main

import(
    "fmt"
    "log"

    "github.com/andskur/argon2-hashing"
)

func main() {
    // e.g. r.PostFormValue("password")
    passwordFromForm := "qwerty123"

    // Generates a derived key with default params
    hash, err := argon2.GenerateFromPassword([]byte(passwordFromForm), argon2.DefaultParams)
    if err != nil {
        log.Fatal(err)
    }

    // Print the derived key.
    fmt.Printf("%s\n", hash)

    // Uses the parameters from the existing derived key. Return an error if they don't match.
    err = argon2.CompareHashAndPassword(hash, []byte(passwordFromForm))
    if err != nil {
        log.Fatal(err)
    }
}

Argon2 introduction

The Argon2 algorithm accepts a number of configurable parameters:

  • Memory โ€” The amount of memory used by the algorithm (in kibibytes).
  • Iterations โ€” The number of iterations (or passes) over the memory.
  • Parallelism โ€” The number of threads (or lanes) used by the algorithm.
  • Salt length โ€” Length of the random salt. 16 bytes is recommended for password hashing.
  • Key length โ€” Length of the generated key (or password hash). 16 bytes or more is recommended.
  • The memory and iterations parameters control the computational cost of hashing the password. The higher these figures are, the greater the cost of generating the hash. It also follows that the greater the cost will be for any attacker trying to guess the password.

But there's a balance that you need to strike. As you increase the cost, the time taken to generate the hash also increases. If you're generating the hash in response to a user action (like signing up or logging in to a website) then you probably want to keep the runtime to less than 500ms to avoid a negative user experience.

If the Argon2 algorithm is running on a machine with multiple cores, then one way to decrease the runtime without reducing the cost is to increase the parallelism parameter. This controls the number of threads that the work is spread across. There's an important thing to note here though: changing the value of the parallelism parameter changes the output of the algorithm. So โ€” for example โ€” running Argon2 with a parallelism parameter of 2 will result in a different password hash to running it with a parallelism parameter of 4.

Choosing Parameters

Picking the right parameters for Argon2 depends heavily on the machine that the algorithm is running on, and you'll probably need to do some experimentation in order to set them appropriately.

The recommended process for choosing the parameters can be paraphrased as follows:

  1. Set the parallelism and memory parameters to the largest amount you are willing to afford, bearing in mind that you probably don't want to max these out completely unless your machine is dedicated to password hashing.
  2. Increase the number of iterations until you reach your maximum runtime limit (for example, 500ms).
  3. If you're already exceeding the your maximum runtime limit with the number of iterations = 1, then you should reduce the memory parameter.

Thanks to

Authors

License

This project is licensed under the MIT License - see the LICENSE file for details

More Repositories

1

CoinMc-laravel

CoinMarketCap.com api wrapper for Laravel 5.4
PHP
13
star
2

laracrypto

Laravel cryptocurrencies integration
PHP
12
star
3

andskur.github.io

JavaScript
5
star
4

go-microservice-template

Template for building go microservices
Go
5
star
5

LiteFaucet

Faucet script based on laravel framework
JavaScript
4
star
6

experemental

Go
4
star
7

pswd-hashing-tools

Tools for hashing passwords and compare result
Go
4
star
8

ERA_web

ERA web interface
HTML
3
star
9

eth-proxy

Ethereum blocks and transactions proxy with built-in cache
Go
3
star
10

era-javascript-api

ERA api wraper for javascript
JavaScript
2
star
11

hbdm-go

Go
2
star
12

contract-killable

Ethereum smart-contract with option for kill it by the Owner or make it immortal if need later
JavaScript
2
star
13

simple_chain

Go
2
star
14

substrate-infrastructure

substrate related infrastructure
HCL
2
star
15

OldNorseDictionary

An extensive Old Norse dictionary app available on macOS, iOS, iPadOS, and watchOS. Explore the language of the Vikings with detailed word information, search and filter options, and more.
Swift
2
star
16

Runatal

Runatal: A cross-platform app providing detailed information about the Elder Futhark runic alphabet, with translations in English and Russian. Available on iOS, iPadOS, macOS, and Apple Watch.
Swift
1
star
17

andskur

1
star
18

number-parser

Rust
1
star
19

andskur.com

1
star
20

web-crawler

Simple go web-crawler
Go
1
star
21

number-parsing

accepts a numeric literal through stdin and writes out a human-readable english form of it
Go
1
star
22

go-kanban

Go
1
star
23

LaraCart

Simple Shoping Cart for Laravel framework
PHP
1
star
24

gatekeeper

Go
1
star