New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add scrypt and pbkdf2 password encoder in module security #110
Comments
@jeevatkm Great job! :) I read some stuff about PBKDF2. It seems that these days in 2017, PBKDF2 should be avoided... Maybe could be important to advise for scrypt and bcrypt...? Prefer bcrypt or even better, scrypt over PBKDF2. https://medium.com/@mpreziuso/password-hashing-pbkdf2-scrypt-bcrypt-1ef4bb9c19b3 |
Thank you @julienkosinski. Default password encoder enabled in aah is I believe those post/article discussing about SHA256-crypt, SHA512-crypt vs bcrypt, pbkdf2 hashes. Things should be avoided; just hash (md5, SHA- *), just hash with salt (md5, SHA- *). Typically its recommended to use |
@jeevatkm You do take care of aah users very well! Great link thanks! You're right! :D |
@julienkosinski Thank you. For every feature and enhancement in aah I do lot of study and research for the implementation and default values to align with real world usage. Also I just read your updated comment info. I will add warning message via logging if user choose pbkdf2 with non SHA-256 or SHA-512 hash. Do you mind reviewing this doc https://github.com/go-aah/docs/blob/v0.9-dev/password-encoders.md and add your inputs in it? |
@jeevatkm Yeah, gonna propose some words about it. SHA-1 collision attacks are not that severe as I wrote in my first edit in that case because of the way PBKDF2 works. Maybe gonna propose something in the doc to advise to avoid SHA-1 anyway :). Recent Google searches : http://thehackernews.com/2017/02/sha1-collision-attack.html |
Currently
aah
supportsbcrypt
password encoder.Add
scrypt
andpbkdf2
too with configurable options.Enhance interface
acrypto.PasswordEncoder
to supportGenerate
password hash by algorithm.-
security.Bcrypt.*
-
security.Scrypt.*
-
security.Pbkdf2.*
aah new
command get password algorithmThe text was updated successfully, but these errors were encountered: