Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

I'm using Digest::BCrypt on heavily salted passwords for my systems. I have everything in a database, so my code is probably slightly more complex than yours. Take a look at my Password handler:

package PageCamel::Helpers::Passwords; #---AUTOPRAGMASTART--- use 5.030; use strict; use warnings; use diagnostics; use mro 'c3'; use English; use Carp qw[carp croak confess cluck longmess shortmess]; our $VERSION = 3.5; use autodie qw( close ); use Array::Contains; use utf8; use Data::Dumper; use PageCamel::Helpers::UTF; #---AUTOPRAGMAEND--- # PAGECAMEL (C) 2008-2020 Rene Schickbauer # Developed under Artistic license use Digest; use Data::Entropy::Algorithms qw(rand_bits); use MIME::Base64; use PageCamel::Helpers::DateStrings; use Time::HiRes qw[sleep]; use base qw(Exporter); our @EXPORT= qw(update_password verify_password gen_textsalt); ## no c +ritic (Modules::ProhibitAutomaticExportation) sub gen_textsalt { my $saltbase = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN +OPQRSTUVWXYZ'; my $salt = ''; my $count = int(rand(20))+20; for(1..$count) { my $pos = int(rand(length($saltbase))); $salt .= substr($saltbase, $pos, 1); } return $salt; } sub update_password { my ($dbh, $username, $password) = @_; # While pre- and postsalt does not much for complexity, it helps p +reventing rainbow tables attacks. # I know, the bcrypt salt already does that, in case of a general +bcrypt breach, this should # make it a bit more difficult. my $presalt = gen_textsalt(); my $postsalt = gen_textsalt(); my $bsalt = rand_bits(16*8); # 16 octets (16 bytes at 8 bits) #print length($bsalt) . "\n"; #print $bsalt . "\n"; my $bsalt_b64 = encode_base64($bsalt, ''); #my $cost = getCurrentYear() - 2000 + 3; my $cost = 5; # FIXME: Make SystemSetting my $bcrypt = Digest->new('Bcrypt'); $bcrypt->cost($cost); $bcrypt->salt($bsalt); $bcrypt->add($presalt); $bcrypt->add($password); $bcrypt->add($postsalt); my $pwsalted = $bcrypt->b64digest; my $upsth = $dbh->prepare("UPDATE users SET password_prefix = ?, password_postfix = ?, password_bcrypt_hash = ?, password_bcrypt_salt = ?, password_bcrypt_cost = ?, next_password_change = now() + interval +'12 weeks' WHERE username = ?") or croak($dbh->errstr); if(!$upsth->execute($presalt, $postsalt, $pwsalted, $bsalt_b64, $c +ost, $username)) { return 0; } return 1; } sub verify_password { my ($dbh, $username, $password) = @_; # Pre-initialize for random pw calculations in case no user is fou +nd (there should be no # measurable time difference for unknown users. This will make it +harder to guess is a username # exists) my $presalt = gen_textsalt(); my $postsalt = gen_textsalt(); my $bsalt = rand_bits(16*8); # 16 octets (16 bytes at 8 bits) #my $cost = getCurrentYear() - 2000 + 3; my $cost = 16; # FIXME: Make SystemSetting my $pwhash = ''; my $isLocked = 0; my $selsth = $dbh->prepare("SELECT account_locked, password_prefix, password_postfix, password_bcrypt_hash, password_bcrypt_salt, password_bcrypt_cost FROM users WHERE username = ? AND password_prefix != '' AND password_postfix != '' AND password_bcrypt_hash != '' AND password_bcrypt_salt != '' ") or croak($dbh->errstr); if(!$selsth->execute($username)) { return 0; } my $found = 0; while((my $line = $selsth->fetchrow_arrayref)) { my $bsalt_b64; ($isLocked, $presalt, $postsalt, $pwhash, $bsalt_b64, $cost) = + @{$line}; $bsalt = decode_base64($bsalt_b64); $found = 1; last; } $selsth->finish; my $bcrypt = Digest->new('Bcrypt'); $bcrypt->cost($cost); $bcrypt->salt($bsalt); $bcrypt->add($presalt); $bcrypt->add($password); $bcrypt->add($postsalt); my $pwsalted = $bcrypt->b64digest; # sleep for a random amount of time, up to a second fo further lim +it # bruteforcing and "unknown user" detection my $sleeptime = int(rand(900) + 100) / 1000; sleep($sleeptime); if($isLocked || !$found || $pwsalted ne $pwhash) { return 0; } return 1; } 1; __END__ =head1 NAME PageCamel::Helpers::Passwords - handle passwords in a PageCamel databa +se =head1 SYNOPSIS use PageCamel::Helpers::Passwords; =head1 DESCRIPTION This central module does all the actual password handling for PageCame +l projects. This way, changing the hashing algorithm or adapting its +strengh (vs time) can be done in one central place in the code. =head2 gen_textsalt Randomly generate a salt used for hashing passwords. =head2 update_password Update a password in the database (also generates a new salt). =head2 verify_password Verify correctness of a password. =head1 IMPORTANT NOTE This module is part of the PageCamel framework. Currently, only limite +d support and documentation exists outside my DarkPAN repositories. This source +is currently only provided for your reference and usage in other projects + (just copy&paste what you need, see license terms below). To see PageCamel in action and for news about the project, visit my blog at L<>. =head1 AUTHOR Rene Schickbauer, E<lt>cavac@cpan.orgE<gt> =head1 COPYRIGHT AND LICENSE Copyright (C) 2008-2020 Rene Schickbauer This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.10.0 or, at your option, any later version of Perl 5 you may have available. =cut

I'm also enforcing quite complex passwords that are very hard to guess.

perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'

In reply to Re: Replacing crypt() for password login via a digest - looking for stronger alternative by cavac
in thread Replacing crypt() for password login via a digest - looking for stronger alternative by davebaker

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or or How to display code and escape characters are good places to start.
Log In?

What's my password?
Create A New User
Domain Nodelet?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (3)
As of 2021-10-22 00:54 GMT
Find Nodes?
    Voting Booth?
    My first memorable Perl project was:

    Results (85 votes). Check out past polls.