July 2011 Archives

Safely Storing Passwords

My first post on here, hope it's well received!

In light of recent database hacks (MtGox, Sony, etc) - How to safely store passwords is at the front of every developers mind.

Almost every dev knows that storing plaintext passwords is a bad idea, but most don't realise that storing a SHA hash should also be considered a bad idea.

The SHA + salt pattern has been widely adopted, however modern hardware can brute force such hashes in a reasonable time using CUDA. In the near future it's not inconceivable that arbitrary hashes could be brute forced in seconds.

Bcrypt solves the problem of hardware increasing in power, rendering your chosen hashing function obsolete. I suggest reading How To Safely Store A Password, by Coda Hale for the hairy details.

To use bcrypt in perl, you can use Crypt::Eksblowfish::Bcrypt.

To help people follow these best practices, I have wrote a Dancer plugin that simplifies created and verifying bcrypt hashes. Dancer::Plugin::Bcrypt. Any feedback is welcome :)

About LoonyPandora

user-pic I blog about Perl. I'm on Twitter, GitHub, and everywhere else as @LoonyPandora. Except the CPAN, where I'm JAITKEN. Silly character limits...