Re^3: Adjust bcrypt cost to prevent future password hash attacks


Keep It Simple, Stupid
	PerlMonks

Re^3: Adjust bcrypt cost to prevent future password hash attacks

by Anonymous Monk

on Jun 12, 2012 at 13:30 UTC ( [id://975806]=note: print w/replies, xml )

Need Help??

in reply to Re^2: Adjust bcrypt cost to prevent future password hash attacks
in thread Adjust bcrypt cost to prevent future password hash attacks

Does that mean you can deduce the cost from the output hash alone? In order to adjust the cost over time, one either need to store the cost or be able to compute it (e.g. from the output hash).

I believe so. It's stored right after the $2a$ . The output hash, by the looks of it, is similar to the way passwords are stored in Unixes -- and this is no surprise since bcrypt came from the OpenBSD guys.

The format is: $cryptomethod$length$salt$password, although anything after $cryptomethod$ is roughly freeform and parsed by the method (i.e. bcrypt) itself.

I'm not sure about what sort of hash Digest::Bcrypt is supposed to return, but it looks nothing like the raw Eksblowfish version. Personally, I would not trust this module if I cannot get an output similar to the crypt(3) C function from it.

Comment on Re^3: Adjust bcrypt cost to prevent future password hash attacks Select or Download Code

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://975806]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others chanting in the Monastery: (4)

As of 2024-04-26 08:01 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found