need help to hash the password using go

[John Qin]

I want to hash the password using go.  the code below is from Rog's post.  He's using sha1,  it works. the part that is commented out is my code, i want to make it more secure using sha256

i am getting following error message.

# command-line-arguments

 h.Sum256 undefined (type hash.Hash has no field or method Sum256)

I dont understand why Rog's code works, but not mine.

package main

import(

  "crypto/rand"

  "crypto/sha1"

  //"crypto/sha256"

  "fmt"

  "io"

)

const SaltSize = 16

/*

func saltedHash(secret []byte) []byte {

  fmt.Println("sha256 size: %v\n", sha256.Size)

  buf := make([]byte, SaltSize, SaltSize + sha256.Size)

  _, err := io.ReadFull(rand.Reader, buf)

  if err != nil {

    panic(fmt.Errorf("random read failed: %v", err))

  }

  h := sha256.New()

  h.Write(buf)

  h.Write(secret)

  return h.Sum256(buf)

}

*/

func saltedHash1(secret []byte) []byte {

  fmt.Println("sha1 size: %v\n", sha1.Size)

  buf := make([]byte, SaltSize, SaltSize + sha1.Size)

  _, err := io.ReadFull(rand.Reader, buf)

  if err != nil {

    panic(fmt.Errorf("random read failed: %v", err))

  }

  h := sha1.New()

  h.Write(buf)

  h.Write(secret)

  return h.Sum(buf)

}

func main(){

  //h := saltedHash([]byte("hello"))

  //fmt.Println(h)

  h1 := saltedHash1([]byte("hello"))

  fmt.Println(h1)

}

[Shawn Milochik]

If you look at the docs for sha256, you'll see that it has a Sum256 function. It's stand-alone, not attached to the hash. When you call sha256.New, it returns a hash.Hash (an interface), which has a Sum method exported, but not a Sum256.

http://golang.org/pkg/crypto/sha256/

http://golang.org/pkg/hash/#Hash

[egon]

On Monday, 2 June 2014 18:15:43 UTC+3, John Qin wrote:

I want to hash the password using go.  the code below is from Rog's post.  He's using sha1,  it works. the part that is commented out is my code, i want to make it more secure using sha256

Use bcrypt/scrypt for hashing passwords.

code.google.com/p/go.crypto/bcrypt

code.google.com/p/go.crypto/scrypt

See http://shadynasty.biz/blog/2012/09/05/auth-and-sessions/ it contains example how to use bcrypt.

+ egon

[Nate Finch]

I'm going to quote this because it deserves repeating. bcrypt and scrypt (and pkbdf2) are the industry standards for securely hashing passwords.  They are algorithms designed for hashing passwords.  Please use one of those to the exclusion of all other password hashing algorithms when hashing passwords.  Do not use SHA256.  SHA256 is made for hashing large amounts of data.  It is designed to be fast.  What that means is, people trying to brute force your password are going to be able to do it very very fast.  Like, millions of attempts per second with off-the-shelf hardware.  In contrast, bcrypt can be tweaked to run as slow as you like.  This makes even poor passwords pretty strong against brute force attacks. 

I am not a cryptographer, but this has been well-known best practices for quite some time now.

[Matt Silverlock]

Everything Nate said is worth reading twice. Go's bcrypt package (http://godoc.org/code.google.com/p/go.crypto/bcrypt) is extremely easy to use, too.

hash, err := GenerateFromPassword([]byte(password), 12)
if err != nil {
...
}

---

The ConpareHashAndPassword function also makes it easy to compare the stored hash with the password in a constant-time manner.