used bcrypt for user password

ii/db.go

@@ -7,7 +7,6 @@ package ii
 import (
 	"bufio"
 	"crypto/sha256"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -19,6 +18,7 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
+	"golang.org/x/crypto/bcrypt"
 )
 
 // This is index entry. Information about message that is loaded in memory.
@@ -906,8 +906,12 @@ func IsPassword(u string) bool {
 // String is something like id + user + password
 func MakeSecret(msg string) string {
 	h := sha256.Sum256([]byte(msg))
-	s := base64.URLEncoding.EncodeToString(h[:])
-	return s[0:10]
+	hash, err := bcrypt.GenerateFromPassword(h[:], bcrypt.DefaultCost)
+	if err != nil {
+		Error.Printf("bcrypt problem")
+		return "bcryptProblem"
+	}
+	return string(hash)
 }
 
 // Return secret for username or "" if no such user
@@ -929,7 +933,8 @@ func (db *UDB) Auth(User string, Passwd string) bool {
 	if !ok {
 		return false
 	}
-	return ui.Secret == MakeSecret(User+Passwd)
+	secret := sha256.Sum256([]byte(User+Passwd))
+	return bcrypt.CompareHashAndPassword([]byte(ui.Secret), secret[:]) == nil
 }
 
 // Returns true if Secret (pauth) is valid