Hashing passwords without salt are prone to rainbow table attacks. I particularly like this comment in a Java Source Code:
https://github.com/apache/shiro/blob/f782eb1084df73eff3e2ac0f9780cb4a4f429041/core/src/main/java/org/apache/shiro/authc/credential/HashedCredentialsMatcher.java#L56 When storing password, always go for salted approaches (thus bcrypt) Also, bear in mind upx works like a charm on Go Binaries: https://blog.filippo.io/shrink-your-go-binaries-with-this-one-weird-trick/ -- -- Aldrin Leal, <ald...@leal.eng.br> / https://ingenieux.io/about/ On Mon, Apr 22, 2019 at 5:15 AM whitehexagon via golang-nuts < golang-nuts@googlegroups.com> wrote: > I'm porting some code over to Go, and currently looking at some password > hashing. I'm wondering if there is a 'standard library' alternative to > using bcrypt? > > I am concerned about the Go binary size, since I'm already at 15MB! So > I'm trying to limit external dependencies as much as possible. > > The data being stored is not critical or sensitive, just some email > address mainly. > > From my research it sounds like 'golang.org/pkg/crypto/sha512/' might be > what I need, but I dont see any clear alternative for the following > functions below: > > I'm still new to Go, so I'm wondering what would be the recommended > solution using the standard library please? > > Peter > > > bcrypt.GenerateFromPassword > > bcrypt.CompareHashAndPassword > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
