Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Go package for safe password hashing and comparison. (THIS PACKAGE IS DEPRECATED! USE bcrypt OR scrypt FROM go.crypto)

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 fixed
Octocat-spinner-32 .gitignore
Octocat-spinner-32 LICENSE
Octocat-spinner-32 README.md
Octocat-spinner-32 passwordhash.go
Octocat-spinner-32 passwordhash_test.go
README.md

WARNING

This package is deprecated! Do not use for new projects.

Instead of it, use scrypt or bcrypt from the official go.crypto repository:

Drawbacks of this package are:

  1. Deriving 64-byte output from HMAC-SHA256-PBKDF2 allows for 2x speedup of attacks (PBKDF2 takes twice as long to derive 64 bytes, but attackers only need to derive 32 bytes to compare matches).

  2. Default number of iterations (5000) is too low for most uses.

  3. Currenly Go's SHA256 implementation is too slow.

If you use this package, but do not use full 64-byte output for any purposes other than what this package provides, please switch import to:

import "github.com/dchest/passwordhash/fixed/passwordhash"

The "fixed" version uses only the first 32 bytes of hash for comparison to avoid the speedup attack, and the default number of iterations is increased to 100000.

Something went wrong with that request. Please try again.