You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
golang.org/x/crypto/bcrypt [1] does not provide an official API to verify that the hash format is good one. The current sources indicates [2] that one can use bcrypt.Cost() as that parses and verifies the whole hash string. But the documentation does not reflect that a successful return from the function indicates a valid hash. Also the documentation implies that bcrypt.ErrHashTooShort can only be returned from CompareHashAndPassword when the Cost function can also return it.
It would be nice to have an explicit API to check hash format and perhaps check that it was created by older version so a password change can be scheduled in such case.
golang.org/x/crypto/bcrypt [1] does not provide an official API to verify that the hash format is good one. The current sources indicates [2] that one can use bcrypt.Cost() as that parses and verifies the whole hash string. But the documentation does not reflect that a successful return from the function indicates a valid hash. Also the documentation implies that bcrypt.ErrHashTooShort can only be returned from CompareHashAndPassword when the Cost function can also return it.
It would be nice to have an explicit API to check hash format and perhaps check that it was created by older version so a password change can be scheduled in such case.
[1] - https://godoc.org/golang.org/x/crypto/bcrypt
[2] - https://github.com/golang/crypto/blob/6c586e17d90a7d08bbbc4069984180dce3b04117/bcrypt/bcrypt.go#L118
The text was updated successfully, but these errors were encountered: