-
Notifications
You must be signed in to change notification settings - Fork 65
Hashing passwords
This page provides basic information about how to hash passwords in your Elixir app.
First, you need to choose which password hashing library you are going to use. We recommend Argon2, and that is the library we will use in the examples below (if you want to use Bcrypt or Pbkdf2, replace Argon2 with the name of the module you are using).
Next, add the password hashing library to your mix.exs file and run mix deps.get
(from version 5 onwards, you will not need to include :comeonin
in the mix.exs file).
Before using the library, you will also need to configure it. This is especially important when using Argon2.
The Argon2.hash_pwd_salt
function hashes a password with a randomly-generated salt,
and the Argon2.verify_pass
function checks a password by comparing it with a password
hash.
However, most developers will find the Argon2.add_hash
and Argon2.check_pass
convenience
functions more useful, especially when working on a Phoenix app with Ecto.
This first example shows how add_hash
can be used to add the password hash to an
Ecto changeset (add_hash
returns a map in the form %{password_hash: password_hash, password: nil}
):
defp put_pass_hash(%Ecto.Changeset{valid?: true, changes:
%{password: password}} = changeset) do
put_change(changeset, :password_hash, hash_pwd_salt(password))
end
defp put_pass_hash(changeset), do: changeset
For a more detailed example, see this example app.
The following is an example of calling Argon2.check_pass
with no options
(the Accounts.get_by
function takes the user parameters [for example, email and password]
as input and returns a user struct or nil):
def verify_user(%{"password" => password} = params) do
user = Accounts.get_by(params)
cond do
is_nil(user) ->
# Emulate password hashing to avoid leaking the user does not exist
Argon2.no_user_verify()
:not_found
Argon2.verify_pass(password, user.password_hash) ->
:ok
true ->
:invalid_password
end
end
To see how you can use this function, see how the Login.verify
function (which is very similar)
is used in the create function in
this controller.