Phantom type for Argon2

Since: 2.0.0.0

A plain-text password.

This represents a plain-text password that has NOT been hashed.

You should be careful with Password. Make sure not to write it to logs or store it in a database.

You can construct a Password by using the mkPassword function or as literal strings together with the OverloadedStrings pragma (or manually, by using fromString on a String). Alternatively, you could also use some of the instances in the password-instances library.

Construct a Password

Hash the Password using the Argon2 hash algorithm

>>> hashPassword $ mkPassword "foobar"
PasswordHash {unPasswordHash = "$argon2id$v=19$m=65536,t=2,p=1$...$..."}

A hashed password.

This represents a password that has been put through a hashing function. The hashed password can be stored in a database.

Check a Password against a PasswordHash Argon2.

Returns PasswordCheckSuccess on success.

>>> let pass = mkPassword "foobar"
>>> passHash <- hashPassword pass
>>> checkPassword pass passHash
PasswordCheckSuccess

Returns PasswordCheckFail if an incorrect Password or PasswordHash Argon2 is used.

>>> let badpass = mkPassword "incorrect-password"
>>> checkPassword badpass passHash
PasswordCheckFail

This should always fail if an incorrect password is given.

\(Blind badpass) -> let correctPasswordHash = hashPasswordWithSalt testParams salt "foobar" in checkPassword badpass correctPasswordHash == PasswordCheckFail

The result of checking a password against a hashed version. This is returned by the checkPassword functions.

Hash a password using the Argon2 algorithm with the given Argon2Params.

N.B.: If you have any doubt in your knowledge of cryptography and/or the Argon2 algorithm, please just use hashPassword.

Advice to set the parameters:

• Figure out how many threads you can use, choose "parallelism" accordingly.
• Figure out how much memory you can use, choose "memory cost" accordingly.
• Decide on the maximum time x you can spend on it, choose the largest "time cost" such that it takes less than x with your system and other parameter choices.

Since: 2.0.0.0

Default parameters for the Argon2 algorithm.

>>> defaultParams
Argon2Params {argon2Salt = 16, argon2Variant = Argon2id, argon2Version = Version13, argon2MemoryCost = 65536, argon2TimeCost = 2, argon2Parallelism = 1, argon2OutputLength = 32}

Since: 2.0.0.0

Parameters used in the Argon2 hashing algorithm.

Since: 2.0.0.0

Which variant of Argon2 to use. You should choose the variant that is most applicable to your intention to hash inputs.

Which version of Argon2 to use

Hash a password with the given Argon2Params and also with the given Salt instead of a random generated salt using argon2Salt from Argon2Params. (cf. hashPasswordWithParams) Using hashPasswordWithSalt is strongly disadvised and hashPasswordWithParams should be used instead. Never use a static salt in production applications!

N.B.: The salt HAS to be 8 bytes or more, or this function will throw an error!

>>> let salt = Salt "abcdefghijklmnop"
>>> hashPasswordWithSalt defaultParams salt (mkPassword "foobar")
PasswordHash {unPasswordHash = "$argon2id$v=19$m=65536,t=2,p=1$YWJjZGVmZ2hpamtsbW5vcA$BztdyfEefG5V18ZNlztPrfZaU5duVFKZiI6dJeWht0o"}

(Note that we use an explicit Salt in the example above. This is so that the example is reproducible, but in general you should use hashPassword. hashPassword generates a new Salt everytime it is called.)

Generate a random 16-byte Argon2 salt

Since: 2.0.0.0

A salt used by a hashing algorithm.

This is an unsafe function that shows a password in plain-text.

>>> unsafeShowPassword ("foobar" :: Password)
"foobar"

You should generally not use this function in production settings, as you don't want to accidentally print a password anywhere, like logs, network responses, database entries, etc.

This will mostly be used by other libraries to handle the actual password internally, though it is conceivable that, even in a production setting, a password might have to be handled in an unsafe manner at some point.