Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re^2: Adjust bcrypt cost to prevent future password hash attacks

by andreas1234567 (Vicar)
on Jun 12, 2012 at 13:03 UTC ( #975794=note: print w/replies, xml ) Need Help??


in reply to Re: Adjust bcrypt cost to prevent future password hash attacks
in thread Adjust bcrypt cost to prevent future password hash attacks

I'm using a different bcrypt module, Crypt::Eksblowfish::Bcrypt,
According to the documentation, Digest::Bcrypt is mostly a wrapper around Crypt::Eksblowfish::Bcrypt.
.. it stores both the settings and the salt in the output hash
Does that mean you can deduce the cost from the output hash alone? In order to adjust the cost over time, one either need to store the cost or be able to compute it (e.g. from the output hash).

--
No matter how great and destructive your problems may seem now, remember, you've probably only seen the tip of them. [1]
  • Comment on Re^2: Adjust bcrypt cost to prevent future password hash attacks

Replies are listed 'Best First'.
Re^3: Adjust bcrypt cost to prevent future password hash attacks
by Anonymous Monk on Jun 12, 2012 at 13:30 UTC
    Does that mean you can deduce the cost from the output hash alone? In order to adjust the cost over time, one either need to store the cost or be able to compute it (e.g. from the output hash).

    I believe so. It's stored right after the $2a$. The output hash, by the looks of it, is similar to the way passwords are stored in Unixes -- and this is no surprise since bcrypt came from the OpenBSD guys.

    The format is: $cryptomethod$length$salt$password, although anything after $cryptomethod$ is roughly freeform and parsed by the method (i.e. bcrypt) itself.

    I'm not sure about what sort of hash Digest::Bcrypt is supposed to return, but it looks nothing like the raw Eksblowfish version. Personally, I would not trust this module if I cannot get an output similar to the crypt(3) C function from it.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://975794]
help
Chatterbox?
[Corion]: If all else fails, Spreadsheet::XLSX should be "installable" by manually copying the files, provided that the prerequisites are met
[thezip]: It fails in the "formatted 2-digit numeric" tests
[thezip]: Okay Corion, that's what I wanted to hear. Thanks!
[Corion]: Oh, a test failure... Just force-install it then? --force and potentially --notest to skip the tests alltogether ?
[ambrus]: thezip: is Activestate Perl usable for your scenario instead?
[MidLifeXis]: Yeah, --notest is good, not sure I would do --force.
[thezip]: It fails 2/10 tests in that group. What are the ramifications if I force it? What should I look for for?
[thezip]: I've migrated from ActiveState to Strawberry. No going back...
[thezip]: I'll try the --notest arg first when I get back from meetings (after lunch).
[thezip]: Thanks guys for your comments! :-)

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (16)
As of 2017-03-23 17:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Should Pluto Get Its Planethood Back?



    Results (290 votes). Check out past polls.