Ref: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#password-hashing-algorithms
ππ‘ππ π’π¬ π¬ππ₯π? According to OWASP guidelines, βa salt is a unique, randomly generated string that is added to each password as part of the hashing processβ.
ππ¨π° ππ¨ π¬ππ¨π«π π π©ππ¬π¬π°π¨π«π ππ§π π¬ππ₯π? 1οΈ A salt is not meant to be secret and it can be stored in plain text in the database. It is used to ensure the hash result is unique to each password.
2οΈ The password can be stored in the database using the following format: π©π’π΄π©( π±π’π΄π΄πΈπ°π³π₯ + π΄π’ππ΅).
If you see in the above, password is never sent over wire to the server.
Go has input support using crypto for Argon2, bcrypt and PBKDF2
Using a slow, expensive hashing algorithm is recommended. These hashes introduce a calculation work factor which can then be scaled along with Mooreβs Law. Some examples are Argon2, PBKDF2, bcrypt, and scrypt. While Argon2 is better, Bcrypt is still very good and scales with modern hardware due to the work factor. Go also provides us with a easy to implement library which makes this a good choice.