argon2-hashing alternatives and similar packages
Based on the "Security" category.
Alternatively, view argon2-hashing alternatives based on common mentions on social networks and blogs.
-
Lean and Mean Docker containers
Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source) -
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability. -
-
-
-
-
-
-
-
-
Themis by Cossack Labs
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms. -
acra
Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL. -
ToRat
DISCONTINUED. ToRat is a Remote Administation tool written in Go using Tor as a transport mechanism and RPC for communication -
-
-
-
-
-
-
-
teler-waf
teler-waf is a Go HTTP middleware that protects local web services from OWASP Top 10 threats, known vulnerabilities, malicious actors, botnets, unwanted crawlers, and brute force attacks. -
-
-
-
go-peer
๐ Library for developing secure, decentralized, anonymous and quantum-resistant networks in Go language -
simple-scrypt
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go ๐ -
passwap
Package passwap provides a unified implementation between different password hashing algorithms. It allows for easy swapping between algorithms, using the same API for all of them. -
goSecretBoxPassword
A probably paranoid Golang utility library for securely hashing and encrypting passwords based on the Dropbox method. This implementation uses Blake2b, Scrypt and XSalsa20-Poly1305 (via NaCl SecretBox) to create secure password hashes that are also encrypted using a master passphrase. -
go-generate-password
Password generator written in Golang, usable as a CLI or Go library. Provides options for human readable and accessibility friendly passwords. -
-
secureio
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer. -
-
-
goArgonPass
goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2 designed to be compatible with Passlib for Python and Argon2 PHP. Argon2 was the winner of the most recent Password Hashing Competition. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt. -
-
CodeRabbit: AI Code Reviews for Developers
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of argon2-hashing or a related project?
README
argon2-hashing
argon2-hashing provides a light wrapper around Go's argon2 package. Argon2 was the winner of the Password Hashing Competition that makes it easier to securely derive strong keys from weak inputs (i.e. user passwords).
With this library you can:
- Generate a argon2 derived key with a crytographically secure salt and default parameters.
- Tune argon2 with you own parameters based of you hardware configuration.
- Compare a derived key with the possible cleartext equivalent (user password).
Currently supported only Argon2id function.
The API closely mirrors with Go's Bcrypt library and Alex Edwards simple-scrypt package.
Installation
With a Go modules:
go get -u github.com/andskur/argon2-hashing
Example
argon2-hashing doesn't try to re-invent the wheel or do anything "special". It
wraps the argon2.IDKey function as thinly as possible, generates a
crytographically secure salt for you using Go's crypto/rand package, and
returns the derived key with the parameters prepended:
package main
import(
"fmt"
"log"
"github.com/andskur/argon2-hashing"
)
func main() {
// e.g. r.PostFormValue("password")
passwordFromForm := "qwerty123"
// Generates a derived key with default params
hash, err := argon2.GenerateFromPassword([]byte(passwordFromForm), argon2.DefaultParams)
if err != nil {
log.Fatal(err)
}
// Print the derived key.
fmt.Printf("%s\n", hash)
// Uses the parameters from the existing derived key. Return an error if they don't match.
err = argon2.CompareHashAndPassword(hash, []byte(passwordFromForm))
if err != nil {
log.Fatal(err)
}
}
Argon2 introduction
The Argon2 algorithm accepts a number of configurable parameters:
- Memory โ The amount of memory used by the algorithm (in kibibytes).
- Iterations โ The number of iterations (or passes) over the memory.
- Parallelism โ The number of threads (or lanes) used by the algorithm.
- Salt length โ Length of the random salt. 16 bytes is recommended for password hashing.
- Key length โ Length of the generated key (or password hash). 16 bytes or more is recommended.
- The memory and iterations parameters control the computational cost of hashing the password. The higher these figures are, the greater the cost of generating the hash. It also follows that the greater the cost will be for any attacker trying to guess the password.
But there's a balance that you need to strike. As you increase the cost, the time taken to generate the hash also increases. If you're generating the hash in response to a user action (like signing up or logging in to a website) then you probably want to keep the runtime to less than 500ms to avoid a negative user experience.
If the Argon2 algorithm is running on a machine with multiple cores, then one way to decrease the runtime without reducing the cost is to increase the parallelism parameter. This controls the number of threads that the work is spread across. There's an important thing to note here though: changing the value of the parallelism parameter changes the output of the algorithm. So โ for example โ running Argon2 with a parallelism parameter of 2 will result in a different password hash to running it with a parallelism parameter of 4.
Choosing Parameters
Picking the right parameters for Argon2 depends heavily on the machine that the algorithm is running on, and you'll probably need to do some experimentation in order to set them appropriately.
The recommended process for choosing the parameters can be paraphrased as follows:
- Set the parallelism and memory parameters to the largest amount you are willing to afford, bearing in mind that you probably don't want to max these out completely unless your machine is dedicated to password hashing.
- Increase the number of iterations until you reach your maximum runtime limit (for example, 500ms).
- If you're already exceeding the your maximum runtime limit with the number of iterations = 1, then you should reduce the memory parameter.
Thanks to
- Alex Edwards - For an excellent article, after which I was inspired to develop this package.
- Matt Silverlock - For an great and well documented simple-scrypt package which I took for the structural basis.
Authors
- Andrey Skurlatov - andskur
License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details
*Note that all licence references and agreements mentioned in the argon2-hashing README section above
are relevant to that project's source code only.