Be able to use different hash formats

[Vlix]

Seeing as some algorithms encode the password hashes in different ways, it might be a good idea to add functionality to dictate how the hash will be output (hashPassword) and/or how it will be read (checkPassword).

This will make the interoperability better between different programs/other languages, and thus make it easier for someone to switch to Haskell, or use Haskell to operate on already existing password hashes.

Here's a list of examples of different formats

[Vlix]

Started testing some other password libraries for formats they output. All hashes use testpass as the password. And only formats that differ are listed here (so you'll not see any bcrypt or argon2, since those have predefined hash formats)

I'll just add to this message if I find more later on.

---

Python's Passlib (1.7)

• PBKDF2-SHA1:
  • $pbkdf2$131000$OEdozRlDaK0VwjjnnLMWgg$ZgC1C6jh9E7871Qhs8GSjdYnynQ
  • $pbkdf2$131000$0vo/B4DQeu9dC4EwhjCGMA$GftqjQLIzpJLATYxUN6dAwwOvRo
• PBKDF2-SHA256:
  • $pbkdf2-sha256$29000$8L43hnAOwXjvPYdwDuFcKw$KLfhBn9QTOeKPS.Cd5.velWFarD5KlIeC8mU5VIsiHo
  • $pbkdf2-sha256$29000$O.fcW8s5J4RwTklJydnb.w$BydCvBqanO7uNLArDyI5CiV8vNNOvUfwExFdO9pfaFg
• PBKDF2-SHA512:
  • $pbkdf2-sha512$25000$0roXQmgNIURorRXC2JtTag$N4fUuwbjByCcvvTxqBvDkUeBhRE.qPLGt3c4kU1gtUaYaa4HDEWxea10HmfDGXYF1JIw2rxZOs62/aGbg9B46A
  • $pbkdf2-sha512$25000$aa0VglAqRSjF.H.PsRYCQA$UcIpGgFn/sGyx4YwDegVsYXichWq2qBqM1wVGzToR03gXxyW1Sk1xqqpOvxv4jKEqVBFbxDDDne3ZzEONRa8Xw

For PBKDF2, Passlib seems to use the OpenBSD Base64 encoding (with ./0-9A-Za-z) and ignoring any trailing =s.
(Passlib calls this Hash64. See footnote: #1)

• scrypt:
  • $scrypt$ln=16,r=8,p=1$LkXIuRdCCOH8X8t5b+09xw$vc3bu8I8S/ZH9a1jcrOZDePEJMmPgvTv0r7vwzkrI5E
  • $scrypt$ln=16,r=8,p=1$2ftf651TKsW4F0Lo/f//Pw$h5XAZ9E7BEZE0+FldIlnvmmVpSeBBky1PrWBGHF70Fc

For scrypt, Passlib takes the argon2 approach, using ln for the logN rounds, r for the memory work, and p for the parallellism.

---

Node scrypt

Github README
Stackexchange explanation of the hash format

Example from the GitHub README (not self-generated):

• password1: c2NyeXB0AAwAAAAIAAAAAcQ0zwp7QNLklxCn14vB75AYWDIrrT9I/7F9+lVGBfKN/1TH2hs /HboSy1ptzN0YzHJhC7PZIEPQzf2nuoaqVZg8VkKEJlo8/QaH7qjU2VwB
• password2: c2NyeXB0AAwAAAAIAAAAAZ/+bp8gWcTZgEC7YQZeLLyxFeKRRdDkwbaGeFC0NkdUr/YFAWY /UwdOH4i/PxW48fXeXBDOTvGWtS3lLUgzNM0PlJbXhMOGd2bke0PvTSnW

---

PHPs PHPass(Lib) (>= v2.1)

• PBKDF2-SHA1:
  • $pbkdf2$12000$wr5bVXZikOv0vk.fbiMHYg$Kyt4.y7dvyjV3.xwCXljLalhATE
  • $pbkdf2$12000$O0L8/9wdVFxeUJ7XGmoJvg$q7l0aearqGqLT93F6c6pv7AtRzw
• PBKDF2-SHA256:
  • $pbkdf2-sha256$12000$usqXpNNWlm7nZBfJlFlw2A$12FSPQWbbjOPG/2EFxN13TLOWCDgcbBGrLAPI8cB7Ak
  • $pbkdf2-sha256$12000$47JaVFbhUTIurpzxHPym5Q$u05U1q9iq0LyDvUPWOHygNUKTgSDP/nAEMPlrojSUus
• PBKDF2-SHA512:
  • $pbkdf2-sha512$12000$3ZH1pFJ1nnm4DL8vLnWHzg$vwU5XwLJuePlygsufn6IzL7DIcnahXJh3VxMefXGif8BTEmEOpkyj1RFsWenjHvaLGFr5amQ8iLB7de5mh0RVA
  • $pbkdf2-sha512$12000$AmY7CaHljsAPeNKpiBA6hA$TlSI4G7OMQUIrWsKeisVM7TYoJJI4jgT.L9BD7XFmM.13NtxOb8HW3yULgyJo2CtGsjyvkux5N9fzzSuj4CaFQ

PHPass(Lib) seems to use the same format as Python's passlib. using the OpenBSD Base64 (Hash64) encoding (with ./0-9A-Za-z) and ignoring any trailing =s.

---

python-pbkdf2

Weird output format, not sure if this is generally used anywhere.

---

Yesod.Auth.Util.PasswordStore

writePwHash uses the same format we use in Data.Password.Scrypt (which I think we carried over from the scrypt library)

---

#1: Passlib's explanation of CharMaps (Base64, AltBase64, Hash64, Bcrypt64)