You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, BCrypt is used as the default password hashing and validation method. However, BCrypt has several shortcomings (listing the two most popular ones):
A maximum password length of 72 bytes (applicable to x/crypto/bcrypt)
Lack of memory-hardness
Argon2 has been around for some time now and won the PHC in 2015. It is standardized by the IETF while bcrypt is not (scrypt is but consensus (source missing) goes towards Argon2). Argon2 is available as a pure go implementation at golang.org/x/crypto/argon2
Additionally, Argon2 has a lot of details that need to be implemented. For example the standardized string format (which includes the type, version, salt, ...) needs to be properly encoded. Choosing parameters is another question where best-practice defaults are interesting.
There is a �blog post on implementing Argon2 in Go. However, I can not vouch for the contents of the post as I am not an expert in Argon2. It seems though as if the blog post has been reviewed by the author of golang.org/x/crypto/argon2:
Thanks to Andreas Auernhammer, author of the golang.org/x/crypto/argon2 package, for checking over this post before publication.
I therefore want to suggest to add Argon2 to this repository and provide a best-practice implementation for hashing and comparing passwords and storing password hashes.
I'd be happy to contribute but I want to stress, again, that I'm not an expert in this area.
The text was updated successfully, but these errors were encountered:
Currently, BCrypt is used as the default password hashing and validation method. However, BCrypt has several shortcomings (listing the two most popular ones):
Argon2 has been around for some time now and won the PHC in 2015. It is standardized by the IETF while bcrypt is not (scrypt is but consensus (source missing) goes towards Argon2). Argon2 is available as a pure go implementation at golang.org/x/crypto/argon2
Additionally, Argon2 has a lot of details that need to be implemented. For example the standardized string format (which includes the type, version, salt, ...) needs to be properly encoded. Choosing parameters is another question where best-practice defaults are interesting.
There is a �blog post on implementing Argon2 in Go. However, I can not vouch for the contents of the post as I am not an expert in Argon2. It seems though as if the blog post has been reviewed by the author of
golang.org/x/crypto/argon2:I therefore want to suggest to add Argon2 to this repository and provide a best-practice implementation for hashing and comparing passwords and storing password hashes.
I'd be happy to contribute but I want to stress, again, that I'm not an expert in this area.
The text was updated successfully, but these errors were encountered: