This library provides functions for working with passwords and password hashes in Haskell.
Currently supports the following algorithms:
PBKDF2
bcrypt
scrypt
Argon2
Also, see the password-instances
package for instances for common typeclasses.
Changes
Changelog for password
3.0.2.1
Add Cabal flags to control which hashing algorithms are exported. These flags are
argon2, bcrypt, pbkdf2, and scrypt. Each flag is enabled by default -
disabling it will elide the corresponding module from the library. This allows
downstream packagers to disable hashing algorithms which aren’t supported on
certain platforms.
Thanks to @ivanbakel#63
3.0.2.0
Add extractParams on PasswordHashs
Thanks to @blackheaven#61
3.0.1.0
Argon2 hashes without a version field are interpreted as being of version 1.0
Thanks to @Vlix#56
3.0.0.0
Split the main datatypes module (Data.Password) into a separate package: password-types.
The new package just contains Password, PasswordHash, Salt and their helper functions/instances.
Adjusted entire password package to use the Data.Password.Types from this new password-types.
Thanks to @Vlix#40
Argon2: fixed the producing and checking of Argon2 hashes.
The base64 padding is removed when producing hashes and when
checking hashes it will accept hashes with or without padding.
#45
Updated the defaultPasswordPolicy and documentation of the
Data.Password.Validate module using information about research done on
“memorized secrets” (i.e. passwords) by the NIST.
[#31] https://github.com/cdepillabout/password/pull/31
Thanks to @agentultra for pointing out
the research and starting the PR.
#39
Thanks to @Vlix for updating the rest of the
documentation.
Small spelling and other documentation fixes.
2.1.0.0
A new Validate module has been added to dictate policies that passwords
should adhere to and the necessary API to verify that they do.
#26
Huge thanks to @HirotoShioi for picking
up the task of adding this functionality and doing most of the groundwork.
#27
Thanks to @Vlix for finishing up the API and
documentation.
2.0.1.1
Fixed cross-module links in the haddocks.
#19 Thanks to
@TristanCacqueray for fixing this.
2.0.1.0
Switched checking hashes to using Data.ByteArray.constEq, instead of
the default (==) method of ByteString. This is to make it more secure
against timing attacks. #16
Thanks to @maralorn for bringing this up.
2.0.0.1
Fixed README markdown for hackage.
2.0.0.0
Complete overhaul of the library to include hashing and checking
passwords with not just scrypt, but also PBKDF2, bcrypt and
Argon2.
#8
cryptonite is now used as a dependency, instead of the scrypt package.
#8
Done away with abbreviating “password” (Pass/pass -> Password/password)
#8
Removed unsafeShowPasswordText and changed unsafeShowPassword to be
Password -> Text. (Anyone who needs it to be a String knows where to
find Data.Text.unpack)
#8
GHC versions < 8.2 are no longer actively supported.
(Tested to work for GHC 8.2.2)