password

Hashing and checking of passwords

https://github.com/cdepillabout/password/tree/master/password#readme

LTS Haskell 23.19:3.1.0.1
Stackage Nightly 2025-04-30:3.1.0.1
Latest on Hackage:3.1.0.1

See all snapshots password appears in

BSD-3-Clause licensed by Dennis Gosnell, Felix Paulusma
Maintained by [email protected], [email protected]
This version can be pinned in stack with:password-3.1.0.1@sha256:2ebc0084dbe8ff1c8ae333f0669229b5bcfcec270e8d1b5989944c9221d128a7,6126

Module documentation for 3.1.0.1

password

Build Status Hackage Stackage LTS Stackage Nightly BSD3 license

This library provides functions for working with passwords and password hashes in Haskell.

Currently supports the following algorithms:

  • PBKDF2
  • bcrypt
  • scrypt
  • Argon2

Also, see the password-instances package for instances for common typeclasses.

Changes

Changelog for password

3.1.0.1

  • Redo the conditionals in the password.cabal file so that the scrypt library is only included as a test dependency on x86_64. This generally shouldn’t affect users of the password library. Thanks to @sternenseemann #85

3.1.0.0

  • Switched default cryptographic backend library from cryptonite to crypton. The crypton flag is now a no-op, and the cryptonite flag is needed to build the password library using the cryptonite library. Thanks to @Vlix #81

3.0.4.0

  • Support base64 package up to and including base64-1.0.
  • Added the Cabal flags crypton and cryptonite to choose which dependency to build with. Right now the default is cryptonite and setting crypton changes it to crypton. Setting the cryptonite flag does nothing at the moment, but will replace the crypton flag in a future major release, so if you want to keep using the cryptonite package you should start building with this flag. When the flags get switched the crypton package will be the default and the crypton flag will turn into a no-op, and you’ll have to supply the cryptonite flag to build with the cryptonite package. Thanks to @Vlix #74

3.0.3.0

  • Added bcrypt defaultParams used by hashPassword Thanks to @blackheaven #70

3.0.2.2

  • Added extra documentation about bcrypt hashes. Thanks to @Vlix #69

3.0.2.1

  • Add Cabal flags to control which hashing algorithms are exported. These flags are argon2, bcrypt, pbkdf2, and scrypt. Each flag is enabled by default - disabling it will elide the corresponding module from the library. This allows downstream packagers to disable hashing algorithms which aren’t supported on certain platforms. Thanks to @ivanbakel #63

3.0.2.0

3.0.1.0

  • Argon2 hashes without a version field are interpreted as being of version 1.0 Thanks to @Vlix #56

3.0.0.0

  • Split the main datatypes module (Data.Password) into a separate package: password-types. The new package just contains Password, PasswordHash, Salt and their helper functions/instances.
  • Adjusted entire password package to use the Data.Password.Types from this new password-types. Thanks to @Vlix #40
  • Argon2: fixed the producing and checking of Argon2 hashes. The base64 padding is removed when producing hashes and when checking hashes it will accept hashes with or without padding. #45

2.1.1.0

  • Fixed homepage links in the .cabal files. #34 Thanks to @Radicalautistt
  • Updated the defaultPasswordPolicy and documentation of the Data.Password.Validate module using information about research done on “memorized secrets” (i.e. passwords) by the NIST. [#31] https://github.com/cdepillabout/password/pull/31 Thanks to @agentultra for pointing out the research and starting the PR. #39 Thanks to @Vlix for updating the rest of the documentation.
  • Small spelling and other documentation fixes.

2.1.0.0

  • A new Validate module has been added to dictate policies that passwords should adhere to and the necessary API to verify that they do. #26 Huge thanks to @HirotoShioi for picking up the task of adding this functionality and doing most of the groundwork. #27 Thanks to @Vlix for finishing up the API and documentation.

2.0.1.1

2.0.1.0

  • Switched checking hashes to using Data.ByteArray.constEq, instead of the default (==) method of ByteString. This is to make it more secure against timing attacks. #16 Thanks to @maralorn for bringing this up.

2.0.0.1

  • Fixed README markdown for hackage.

2.0.0.0

  • Complete overhaul of the library to include hashing and checking passwords with not just scrypt, but also PBKDF2, bcrypt and Argon2. #8
  • cryptonite is now used as a dependency, instead of the scrypt package. #8
  • Done away with abbreviating “password” (Pass/pass -> Password/password) #8
  • Removed unsafeShowPasswordText and changed unsafeShowPassword to be Password -> Text. (Anyone who needs it to be a String knows where to find Data.Text.unpack) #8
  • GHC versions < 8.2 are no longer actively supported. (Tested to work for GHC 8.2.2)

1.0.0.0

  • hashPassWithSalt has switched function arguments for better currying. #6 Although be warned that multiple passwords should not be hashed with the same salt.
  • Removed Read instance from Pass and added Show instance. #6 See #5 for justification of this.
  • newSalt is now MonadIO m instead of IO. #6
  • PassCheckSucc has been renamed to PassCheckSuccess. #6
  • Hide data constructor from Pass and add the mkPass function to construct a Pass. #6
  • Thanks to Felix Paulusma (@Vlix) for the above changes!

0.1.0.1

  • Small fix to make sure the doctests build with stack. #3

0.1.0.0

  • Initial version.