Golang Password Encryption For Apps and Websites

As one of the first exercises I’ve conducted in Golang as part of getting used to the core language/framework I’ve implemented a simple password authentication package. It uses Bcrypt for actually hashing the password with 64 bit salting created via Dev/Rand which is just standard practice really. This was more an exercise in building something practical and getting a handle on the syntax of doing some slightly more advanced things.

One thing I’ve noticed with Go, especially using this handy dandy Go Plugin, is that it’s forced me to write really clean code(at least I think so). I’ve really been trying to emphasize this lately, but Go seems to really take it to the next level, at least so far with this really simple bit of code. Anyway, I wrote the whole thing to be tested so each function has a well defined responsibility that is easy to call and check.

package authentication
// This will handle all aspects of authenticating users in our system
// For password managing/salting I used:
// http://austingwalters.com/building-a-web-server-in-go-salting-passwords/
import (
const (
SaltLength = 64
// On a scale of 3 – 31, how intense Bcrypt should be
EncryptCost = 14
// This is returned when a new hash + salt combo is generated
type Password struct {
hash string
salt string
// this handles taking a raw user password and making in into something safe for
// storing in our DB
func hashPassword(salted_pass string) string {
hashed_pass, err := bcrypt.GenerateFromPassword([]byte(salted_pass), EncryptCost)
if err != nil {
return string(hashed_pass)
// Handles merging together the salt and the password
func combine(salt string, raw_pass string) string {
// concat salt + password
pieces := []string{salt, raw_pass}
salted_password := strings.Join(pieces, "")
return salted_password
// Generates a random salt using DevNull
func generateSalt() string {
// Read in data
data := make([]byte, SaltLength)
_, err := rand.Read(data)
if err != nil {
// Convert to a string
salt := string(data[:])
return salt
// Handles create a new hash/salt combo from a raw password as inputted
// by the user
func CreatePassword(raw_pass string) *Password {
password := new(Password)
password.salt = generateSalt()
salted_pass := combine(password.salt, raw_pass)
password.hash = hashPassword(salted_pass)
return password
// Checks whether or not the correct password has been provided
func PasswordMatch(guess string, password *Password) bool {
salted_guess := combine(password.salt, guess)
// compare to the real deal
if bcrypt.CompareHashAndPassword([]byte(password.hash), []byte(salted_guess)) != nil {
return false
return true

view raw
hosted with ❤ by GitHub

and the corresponding GoConvey tests:

package authentication
import (
. "github.com/smartystreets/goconvey/convey"
func TestSpec(t *testing.T) {
Convey("Authentication Testing", t, func() {
Convey("generateSalt()", func() {
salt := generateSalt()
So(salt, ShouldNotBeBlank)
So(len(salt), ShouldEqual, SaltLength)
Convey("combine()", func() {
salt := generateSalt()
password := "boomchuckalucka"
expectedLength := len(salt) + len(password)
combo := combine(salt, password)
So(combo, ShouldNotBeBlank)
So(len(combo), ShouldEqual, expectedLength)
So(strings.HasPrefix(combo, salt), ShouldBeTrue)
Convey("hashPassword()", func() {
combo := combine(generateSalt(), "hershmahgersh")
hash := hashPassword(combo)
So(hash, ShouldNotBeBlank)
cost, err := bcrypt.Cost([]byte(hash))
if err != nil {
So(cost, ShouldEqual, EncryptCost)
Convey("CreatePassword()", func() {
passString := "mmmPassword1"
password := CreatePassword(passString)
pass_struct := new(Password)
So(password, ShouldHaveSameTypeAs, pass_struct)
So(password.hash, ShouldNotBeBlank)
So(password.salt, ShouldNotBeBlank)
So(len(password.salt), ShouldEqual, SaltLength)
Convey("comparePassword", func() {
password := "megaman49"
passwordMeta := CreatePassword(password)
So(PasswordMatch(password, passwordMeta), ShouldBeTrue)
So(PasswordMatch("lolfail", passwordMeta), ShouldBeFalse)
So(PasswordMatch("Megaman49", passwordMeta), ShouldBeFalse)

Boom, a tested, working password authentication package! Not bad for an hour’s work.

As always, this is my first crack based on what I know, and what I read out there on the interwebs today about Golang best practices. Let me know if you see anything blatantly wrong here and I will make it not so blatantly wrong in case any poor fool uses my code.

Web Development Fun

My first programming related post! It’s sad that I’ve been neglecting this as it is what I plan on doing for the rest of my life. Maybe it’s a good thing as I’m more wrapped up in training and cooking then my future employment. I will say however that I really enjoy programming and that there are really interesting ways to apply yourself that can be more fun than “work”.

One of the main deficiencies in my education at the University of Alberta in Computing Science is that we spend virtually no time doing web design until 4th year and even then it is really only one class. We do courses on SQL, Java, C, all of which are valuable, but we haven’t actually built any useful products or projects that we can use as examples in our portfolios. Thankfully one of the courses I am currently enrolled in is based around Software Engineering and Android, so at least I will have some experience with Mobile Development through school! Being the smart student that I am, I realized that if I want to find a job when I graduate, I will have to accumulate some useful experience on my own.

One really cool event that I do yearly to build projects is Startup Weekend. It is a 54 hour hack session where basically ideas are pitched and teams are formed Friday night, Saturday and Sunday until 5 is all about building a working prototype, and Sunday evening is about demoing what you’ve got. So far I’ve helped to build 3 website back ends. One for Crowd Sourcing, a Point of Sales system and most recently we tried building a Dating Website which ended up like a really poorly functioning version of Facebook. I personally love this startup environment and hope to one day do this as my full time profession. Having your database schema drawn on half a whiteboard, your site layout on the other, brainstorming ideas on the fly, and building fast makes for really exciting and challenging work days. Personally, I find I learn more practical stuff in one of these weekends then I do in a course over a full semester.

Any ways, I’ve had building my personal portfolio site on my //todo agenda for a long time so I am planning on having that up and running by the end of the Winter semester. It is a good opportunity to learn some new skills, show off my talent as a web designer, and build a kick ass portfolio site for potential employers all in one shot. I am fairly comfortable with html and doing back end work in PHP but my websites always end up looking so “Web 1.0”  like this:

When what I have in my head is something like this:

So as part of my mission to become a better Web Developer, I plan on learning HTML5, CSS3.0, JavaScript, and some Ruby on Rails the right way. I’ve also ordered a book that helps explain how to choose colours, the science behind logical web layouts, fonts, and all of that other stuff that I’m oblivious too as a “hacker” and not a “designer”. The biggest problem I have when user interfaces are required is choosing colors. I swear I tinker with them for hours and can never good combination. To my enjoyment however I found this great site which has been a god send for at least getting sample colours in my projects.

Much like the training side of my blog, I plan on discussing tips, tricks, resources and my experiences diving head first into Web Development. Wish me luck!