go-hmaccrypt provides very strong password digests using a combination of a peppered hash-based message authentication code (HMAC) and a salted adaptive key derivation function like bcrypt.
A digest of each password is generated using e.g. HMAC-SHA512 with a pepper—a value stored separately from the final digests—after which a bcrypt digest of the HMAC digest is generated. The bcrypt digest is saved in e.g. a database.
With this approach, you can ensure the safety of user passwords even if an SQL injection compromises the contents of your database’s users table, or if a weakness is found in e.g. bcrypt. The approach is described here.
go-hmaccrypt can be used safely by multiple goroutines.
