Phantom type for scrypt

Since: 2.0.0.0

A plain-text password.

This represents a plain-text password that has NOT been hashed.

You should be careful with Password. Make sure not to write it to logs or store it in a database.

You can construct a Password by using the mkPassword function or as literal strings together with the OverloadedStrings pragma (or manually, by using fromString on a String). Alternatively, you could also use some of the instances in the password-instances library.

Construct a Password

Hash the Password using the Scrypt hash algorithm

>>> hashPassword $ mkPassword "foobar"
PasswordHash {unPasswordHash = "14|8|1|...|..."}

A hashed password.

This represents a password that has been put through a hashing function. The hashed password can be stored in a database.

Check a Password against a PasswordHash Scrypt.

Returns PasswordCheckSuccess on success.

>>> let pass = mkPassword "foobar"
>>> passHash <- hashPassword pass
>>> checkPassword pass passHash
PasswordCheckSuccess

Returns PasswordCheckFail if an incorrect Password or PasswordHash Scrypt is used.

>>> let badpass = mkPassword "incorrect-password"
>>> checkPassword badpass passHash
PasswordCheckFail

This should always fail if an incorrect password is given.

\(Blind badpass) -> let correctPasswordHash = hashPasswordWithSalt testParams salt "foobar" in checkPassword badpass correctPasswordHash == PasswordCheckFail

The result of checking a password against a hashed version. This is returned by the checkPassword functions.

Hash a password using the Scrypt algorithm with the given ScryptParams.

N.B.: If you have any doubt in your knowledge of cryptography and/or the Scrypt algorithm, please just use hashPassword.

Advice for setting the parameters:

• Memory used is about: (2 ^ scryptRounds) * scryptBlockSize * 128
• Increasing scryptBlockSize and scryptRounds will increase CPU time and memory used.
• Increasing scryptParallelism will increase CPU time. (since this implementation, like most, runs the scryptParallelism parameter in sequence, not in parallel)

Since: 2.0.0.0

Default parameters for the Scrypt algorithm.

>>> defaultParams
ScryptParams {scryptSalt = 32, scryptRounds = 14, scryptBlockSize = 8, scryptParallelism = 1, scryptOutputLength = 64}

Since: 2.0.0.0

Extracts ScryptParams from a PasswordHash Scrypt.

Returns 'Just ScryptParams' on success.

>>> let pass = mkPassword "foobar"
>>> passHash <- hashPassword pass
>>> extractParams passHash == Just defaultParams
True

Since: 3.0.2.0

Parameters used in the Scrypt hashing algorithm.

Since: 2.0.0.0

Hash a password with the given ScryptParams and also with the given Salt instead of a randomly generated salt using scryptSalt from ScryptParams. Using hashPasswordWithSalt is strongly disadvised and hashPasswordWithParams should be used instead. Never use a static salt in production applications!

The resulting PasswordHash has the parameters used to hash it, as well as the Salt appended to it, separated by |.

The input Salt and resulting PasswordHash are both base64 encoded.

>>> let salt = Salt "abcdefghijklmnopqrstuvwxyz012345"
>>> hashPasswordWithSalt defaultParams salt (mkPassword "foobar")
PasswordHash {unPasswordHash = "14|8|1|YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU=|nENDaqWBmPKapAqQ3//H0iBImweGjoTqn5SvBS8Mc9FPFbzq6w65maYPZaO+SPamVZRXQjARQ8Y+5rhuDhjIhw=="}

(Note that we use an explicit Salt in the example above. This is so that the example is reproducible, but in general you should use hashPassword. hashPassword generates a new Salt everytime it is called.)

Generate a random 32-byte scrypt salt

Since: 2.0.0.0

A salt used by a hashing algorithm.

This is an unsafe function that shows a password in plain-text.

>>> unsafeShowPassword ("foobar" :: Password)
"foobar"

You should generally not use this function in production settings, as you don't want to accidentally print a password anywhere, like logs, network responses, database entries, etc.

This will mostly be used by other libraries to handle the actual password internally, though it is conceivable that, even in a production setting, a password might have to be handled in an unsafe manner at some point.