AppendEmptySha256 is to append the SHA-256 of the empty hash to the unhashed password.

CheckPasswordHashValidity determines whether a (user-provided) password is already hashed, and if already hashed, verifies whether the hash is recognized as a valid hash.

CompareHashAndCleartextPassword tests that the provided bytes are equivalent to the hash of the supplied password.

GetSCRAMStoredCredentials retrieves the SCRAM credential parts.

HashPassword takes a raw password and returns a hashed password, hashed using the currently configured method.

LoadPasswordHash decodes a password hash loaded as bytes from a credential store.

LookupMethod returns the HashMethod by name.

MaybeConvertPasswordHash looks at the cleartext and the hashed password and determines whether the hash can be converted from/to crdb-bcrypt to/from scram-sha-256.

ScramIterCountToBcryptCost computes the inverse of the BcryptCostToSCRAMIterCount mapping.

DefaultBcryptCost is the hashing cost for the hashing method crdb-bcrypt.

DefaultSCRAMCost is the hashing cost for the hashing method SCRAM.

HashBCrypt indicates CockroachDB's bespoke bcrypt-based method.

HashInvalidMethod represents invalid hashes.

HashMissingPassword represents a virtual hash when there was no password.

HashSCRAMSHA256 indicates SCRAM-SHA-256.

ScramMaxCost is an arbitrary value to prevent unreasonably long logins.

ScramMinCost is as per RFC 5802.

BcryptCostToSCRAMIterCount maps the bcrypt cost in a pre-hashed password using the crdb-bcrypt method to an “equivalent” cost (iteration count) for the scram-sha-256 method.

MissingPasswordHash represents the virtual hash when there is no password to start with.

PasswordHash represents the type of a password hash loaded from a credential store.

HashMethod indicates which password hash method to use.

HashSemaphore is the type of a semaphore that can be provided to hashing functions to control the rate of password hashes.