Question 1

How do I migrate from bcrypt to simple-scrypt in Go?

Accepted Answer

Since simple-scrypt's API mirrors bcrypt, replace bcrypt.GenerateFromPassword and bcrypt.CompareHashAndPassword with scrypt equivalents. Ensure to handle parameter upgrades if moving to stronger scrypt settings, and test migration paths to avoid breaking existing user logins.

Question 2

Is simple-scrypt better than bcrypt for password storage?

Accepted Answer

scrypt is memory-hard, offering better resistance to GPU/ASIC attacks than bcrypt. simple-scrypt simplifies scrypt usage with upgradeable parameters, but choose based on your security needs; bcrypt may suffice for many applications with lower memory overhead.

Question 3

How to upgrade password hash parameters with simple-scrypt?

Accepted Answer

Use scrypt.Cost to retrieve current parameters from a hash, compare with new parameters, and if they differ, regenerate the hash with scrypt.GenerateFromPassword during authentication while the plaintext password is still in memory, as shown in the README example.

Question 4

What are the default parameters in simple-scrypt and are they safe for production?

Accepted Answer

Defaults are N=16384, r=8, p=1, which are cryptographically secure for most use cases. However, you should calibrate parameters based on your specific hardware and performance requirements to balance security and resource usage.

Question 5

How to handle calibration in a web server with simple-scrypt?

Accepted Answer

Run scrypt.Calibrate once on server startup to determine optimal parameters, as it's computationally expensive. Store the resulting params and use them for all hash generations, but monitor server load to mitigate DoS risks from authentication surges.

Question 6

Can I use simple-scrypt with the Gin or Echo web frameworks?

Accepted Answer

Yes, simple-scrypt is a standard Go library, so integrate it by importing the package and calling scrypt.GenerateFromPassword and scrypt.CompareHashAndPassword in your authentication middleware or handlers within any Go web framework.

simple-scrypt

What is simple-scrypt?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions