Securing User Passwords in Go on App Engine

When handling user passwords in Go applications deployed on Google App Engine, security is paramount. The bcrypt library, while effective in password hashing, poses limitations due to its use of syscall. For this reason, developers may seek alternative methods for secure password hashing.

One reliable option is to leverage the golang.org/x/crypto package, which provides native implementations of PBKDF2 and bcrypt. These implementations eliminate the dependency on syscall, making them suitable for App Engine.

Using bcrypt

To utilize bcrypt, follow these steps:

1. Install the package:

go get golang.org/x/crypto/bcrypt

2. Example usage:

package main

import (
    "fmt"
    "golang.org/x/crypto/bcrypt"
)

func main() {
    pass := []byte("your password")

    // Generate a hashed password
    ctext, err := bcrypt.GenerateFromPassword(pass, bcrypt.DefaultCost)
    if err != nil {
        // Handle error
    }

    fmt.Println(string(ctext)) // Example output: $2a$10$sylGijT5CIJZ9ViJsxZOS.IB2tOtJ40hf82eFbTwq87iVAOb5GL8e
}

Using PBKDF2

For simpler hashing needs, PBKDF2 can be used:

1. Install the package:

go get golang.org/x/crypto/pbkdf2

2. Example usage:

package main

import (
    "fmt"
    "golang.org/x/crypto/pbkdf2"
)

func main() {
    pass := []byte("your password")
    salt := []byte("your salt")

    // Generate a hash
    hash := pbkdf2.Key(pass, salt, 4096, sha256.Size, sha256.New)

    fmt.Printf("%x\n", hash) // Example output: 0x079b8238d3815d31d87d75ff893371ac3cc875f97eca499854655da9554d2555
}