How to hash password in Golang?

@schuyler You can use crypto package with multiple hashing algorithms to hash passwords in Golang, code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

package main

import (
   "crypto/md5"
   "crypto/sha256"
   "encoding/hex"
   "fmt"
)

func main() {

   password := "test"
   md5Hash := md5.Sum([]byte(password))
   // Output: 098f6bcd4621d373cade4e832627b4f6
   fmt.Println(hex.EncodeToString(md5Hash[:]))

   sha256Hash := sha256.New()
   sha256Hash.Write([]byte(password))
   // Output: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
   fmt.Println(hex.EncodeToString(sha256Hash.Sum(nil)))
}

@dmitrypro77 Horrible advice, virtually the worst answer you could give.

Neither MD5 or SHA* are for hashing password, and suggesting MD5 for this purpose is so negligent that it is practically criminal.

Use Argon2, BCrypt, SCrypt etc. Algorithms specifically built for hashing password, which are readily available in Go.

@wilfrid Thank you so much for pointing it out. I agree with you 100% and as far as I know, MD5 wasn't designed for security at all and mostly for fast hashing. I read this question probably wrong since it says "how to hash password" and I was thinking it was mostly about how to use crypto package (just examples) and everyone will use whatever they prefer more, but it looks like "how to securely hash passwords" now ?

BTW, here is how to encrypt using bcrypt if anyone is interested.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

package main

import (
   "fmt"
   "golang.org/x/crypto/bcrypt"
)

func main() {
   password := "test"
   bcryptHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
   if err != nil {
      panic(err)
   }
   // Output: $2a$10$3bOWCPObRD2Qdfr/VQEkHO8OV7vPLoSvPkj0fHRemoALR3/VlRHxS
   fmt.Println(string(bcryptHash))
} 

@dmitrypro77 Using the default cost of 10 is also dangerous and bad advice.

You can't tell somebody how to correctly hash passwords in a code snippet, they need to actually read and understand what they're doing, why certain algorithms are used, and how they're tuned.

@wilfrid I agree with you and I personally prefer to use bcrypt.MaxCost instead.

@josh what do you think about the SHA3 algorithm? I am using this package for my projects https://pkg.go.dev/golang.org/x/crypto/sha3. I am not sure if it's good for the user passwords.

@kenton No, absolutely not. SHA* are all fast hashes, designed for throughput. They are the *opposite* of what you want for a password hashing algorith. BCrypt, Argon2, SCrypt are all *orders of magnitude* slower, on purpose. It is their *extreme slowness* that specifically makes them suitable for password hashing.

See https://crypto.stackexchange.com/questions/54937/use-sha3-for-passwords-hashing and https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords