BSD-3-Clause licensed by Dennis Gosnell, Felix Paulusma
This version can be pinned in stack with:password-,5581

Module documentation for


Build Status Hackage Stackage LTS Stackage Nightly BSD3 license

This library provides functions for working with passwords and password hashes in Haskell.

Currently supports the following algorithms:

  • PBKDF2
  • bcrypt
  • scrypt
  • Argon2

Also, see the password-instances package for instances for common typeclasses.


Changelog for password

  • Add Cabal flags to control which hashing algorithms are exported. These flags are argon2, bcrypt, pbkdf2, and scrypt. Each flag is enabled by default - disabling it will elide the corresponding module from the library. This allows downstream packagers to disable hashing algorithms which aren’t supported on certain platforms. Thanks to @ivanbakel #63

  • Argon2 hashes without a version field are interpreted as being of version 1.0 Thanks to @Vlix #56

  • Split the main datatypes module (Data.Password) into a separate package: password-types. The new package just contains Password, PasswordHash, Salt and their helper functions/instances.
  • Adjusted entire password package to use the Data.Password.Types from this new password-types. Thanks to @Vlix #40
  • Argon2: fixed the producing and checking of Argon2 hashes. The base64 padding is removed when producing hashes and when checking hashes it will accept hashes with or without padding. #45

  • Fixed homepage links in the .cabal files. #34 Thanks to @Radicalautistt
  • Updated the defaultPasswordPolicy and documentation of the Data.Password.Validate module using information about research done on “memorized secrets” (i.e. passwords) by the NIST. [#31] Thanks to @agentultra for pointing out the research and starting the PR. #39 Thanks to @Vlix for updating the rest of the documentation.
  • Small spelling and other documentation fixes.

  • A new Validate module has been added to dictate policies that passwords should adhere to and the necessary API to verify that they do. #26 Huge thanks to @HirotoShioi for picking up the task of adding this functionality and doing most of the groundwork. #27 Thanks to @Vlix for finishing up the API and documentation.

  • Switched checking hashes to using Data.ByteArray.constEq, instead of the default (==) method of ByteString. This is to make it more secure against timing attacks. #16 Thanks to @maralorn for bringing this up.

  • Fixed README markdown for hackage.

  • Complete overhaul of the library to include hashing and checking passwords with not just scrypt, but also PBKDF2, bcrypt and Argon2. #8
  • cryptonite is now used as a dependency, instead of the scrypt package. #8
  • Done away with abbreviating “password” (Pass/pass -> Password/password) #8
  • Removed unsafeShowPasswordText and changed unsafeShowPassword to be Password -> Text. (Anyone who needs it to be a String knows where to find Data.Text.unpack) #8
  • GHC versions < 8.2 are no longer actively supported. (Tested to work for GHC 8.2.2)

  • hashPassWithSalt has switched function arguments for better currying. #6 Although be warned that multiple passwords should not be hashed with the same salt.
  • Removed Read instance from Pass and added Show instance. #6 See #5 for justification of this.
  • newSalt is now MonadIO m instead of IO. #6
  • PassCheckSucc has been renamed to PassCheckSuccess. #6
  • Hide data constructor from Pass and add the mkPass function to construct a Pass. #6
  • Thanks to Felix Paulusma (@Vlix) for the above changes!

  • Small fix to make sure the doctests build with stack. #3

  • Initial version.