6 comments

[ 4.7 ms ] story [ 25.7 ms ] thread
Q: is this preferable than using the built-in blowfish? What is the advantage?

http://golang.org/pkg/crypto/blowfish/

This library is a golang wrapper modeled after py-bcrypt, http://www.mindrot.org/projects/py-bcrypt/

This system hashes passwords using a version of Bruce Schneier's Blowfish block cipher with modifications designed to raise the cost of off-line password cracking and frustrate fast hardware implementation. The computation cost of the algorithm is parametised, so it can be increased as computers get faster. The intent is to make a compromise of a password database less likely to result in an attacker gaining knowledge of the plaintext passwords (e.g. using John the Ripper).

They're for different things. Blowfish is a block cipher. Bcrypt is a password hashing function build on top of a modified version of Blowfish.

If you want to store hashed passwords, Bcrypt is a Right Way to do it. Blowfish doesn't really get much use anymore.

Great. Thanks for the clarification. I've been trying various ways to do secure login on my webapp so this will be just the ticket.
I created pretty much the same thing about two weeks ago, although I think your library looks much nicer (I'm just getting into Go).

https://github.com/silas/bcrypt.go

Cool. My advice is that you should get into the habit of writing tests.