Skip to content
José Valim edited this page Dec 10, 2024 · 3 revisions

This page provides basic information about how to hash passwords in your Elixir app.

Setup

First, you need to choose which password hashing library you are going to use. We recommend Argon2, and that is the library we will use in the examples below (if you want to use Bcrypt or Pbkdf2, replace Argon2 with the name of the module you are using).

Next, add the password hashing library to your mix.exs file and run mix deps.get (from version 5 onwards, you will not need to include :comeonin in the mix.exs file).

Before using the library, you will also need to configure it. This is especially important when using Argon2.

Creating and checking password hashes

The Argon2.hash_pwd_salt function hashes a password with a randomly-generated salt, and the Argon2.verify_pass function checks a password by comparing it with a password hash.

However, most developers will find the Argon2.add_hash and Argon2.check_pass convenience functions more useful, especially when working on a Phoenix app with Ecto.

Examples - Phoenix app with Ecto

This first example shows how add_hash can be used to add the password hash to an Ecto changeset (add_hash returns a map in the form %{password_hash: password_hash, password: nil}):

defp put_pass_hash(%Ecto.Changeset{valid?: true, changes:
    %{password: password}} = changeset) do
  put_change(changeset, :password_hash, hash_pwd_salt(password))
end

defp put_pass_hash(changeset), do: changeset

For a more detailed example, see this example app.

The following is an example of calling Argon2.check_pass with no options (the Accounts.get_by function takes the user parameters [for example, email and password] as input and returns a user struct or nil):

def verify_user(%{"password" => password} = params) do
  user = Accounts.get_by(params)

  cond do
    is_nil(user) ->
      # Emulate password hashing to avoid leaking the user does not exist
      Argon2.no_user_verify()
      :not_found

    Argon2.verify_pass(password, user.password_hash) ->
      :ok

    true ->
      :invalid_password
  end 
end

To see how you can use this function, see how the Login.verify function (which is very similar) is used in the create function in this controller.