Golang : Bcrypting password

From my past tutorial on salting password, a reader pointed out that there is a better way to handle/protect users passwords in case hackers managed to get the database plaintext data dump. The method he suggested is to use bcrypt algorithm...which automagically handle the salting part well.

The code below is my own experiment with the bcrypt package for Golang and see if it can be useful to you.

UPDATE: Fixed errata cipherText := saltedCipherText[23:] to cipherText := saltedCipherText[22:]

Thanks Steve Sharp for pointing out.

Here you go!

 package main

 import (
 "fmt"
 "golang.org/x/crypto/bcrypt"
 "strings"
 )

 func main() {
 passwd := []byte("password")

 hashedPassword, err := bcrypt.GenerateFromPassword(passwd, 10)

 if err != nil {
 panic(err)
 }

 fmt.Printf("The hashed password is : %s\n", string(hashedPassword))

 fmt.Printf("%q\n", strings.SplitN(string(hashedPassword), "$", 4))

 parts := strings.SplitN(string(hashedPassword), "$", 4)

 algorithm := parts[1]

 costFactor := parts[2] // number of iterations. Higher cost will increase brute force difficulty

 saltedCipherText := parts[3]

 fmt.Println("Algorithm : ", algorithm)

 fmt.Println("Cost Factor : ", costFactor)

 fmt.Println("Salt + Cipher Text : ", saltedCipherText)

 // in case you still want to store the salt separately in your database
 salt := saltedCipherText[0:22]

 fmt.Println("Salt : ", salt)

 cipherText := saltedCipherText[22:]

 fmt.Println("Cipher Text : ", cipherText)

 }

Sample output :

The hashed password is : $2a$10$qevL45Hnebe0SlbTKT36kuX87fq/sWDjzozJ/4OMh1hPcOo/SASqO

["" "2a" "10" "qevL45Hnebe0SlbTKT36kuX87fq/sWDjzozJ/4OMh1hPcOo/SASqO"]

Algorithm : 2a

Cost Factor : 10

Salt + Cipher Text : qevL45Hnebe0SlbTKT36kuX87fq/sWDjzozJ/4OMh1hPcOo/SASqO

Salt : qevL45Hnebe0SlbTKT36ku

Cipher Text : X87fq/sWDjzozJ/4OMh1hPcOo/SASqO

References :

https://github.com/golang/crypto/blob/master/bcrypt/bcrypt_test.go

http://dustwell.com/how-to-handle-passwords-bcrypt.html