[RADIATOR] BCRYPT

Mike Puchol puchol at me.com
Fri Sep 30 13:01:14 CDT 2011


 Hi Derek, 

This is a broad-stroke version of Eksblowfish on Perl:

use Crypt::Eksblowfish::Bcrypt; use Digest::SHA1 qw(sha1_base64);

# Setup algorithm
 $settings = '$2a$10$' . $salt; 

# Perform hash
 $hash = Crypt::Eksblowfish::Bcrypt::bcrypt($password, $settings);

where $salt is a 22-char base64 encoded string output of a random 16 bytes, or something else of your choosing. This example uses a cost factor of 10, which on my machine takes some 80ms to generate, enough to prevent brute-force attacks. If you don't have a background on why fast password hashing is bad, this article is a good read:

http://codahale.com/how-to-safely-store-a-password/

You can install Crypt::Eksblowfish from CPAN.

If you need to match this with PHP code doing the same (eg. captive portal), you can use this code:

// Setup algorithm
 $settings = '$2a$10$' . $salt . '$'; 

// Hash
 $hash = crypt($password, $settings);

Make sure you use PHP 5.3.0 or higher, as it contains built-in implementations of the most common hashing methods, including Blowfish.

Cheers,

Mike



On Friday, September 30, 2011 at 1:35 PM, Derek Buttineau wrote:

> On 2011-09-30, at 7:08 AM, Heikki Vatiainen wrote:
> 
> > On 08/25/2011 12:24 PM, Heikki Vatiainen wrote:
> > 
> > Hello Derek,
> > 
> > > On 08/24/2011 03:36 PM, Derek Buttineau wrote:
> > 
> > > > I was actually thinking of AuthBy SQL. We're currently using UNIX crypt, but realized it's time to improve security. I'm being told that bcrypt is the way to go (OpenBSD style 2a/2y). So I guess wait for 4.8 or the patches to be issued?
> > 
> > > So the additional hash types may require more work than I originally
> > > thought. We'll need to check a bit more how to do this. I'll keep you
> > > and the list posted.
> > 
> > Radiator 4.9 now has more hash types supported. You may want to see if
> > these are useful to you.
> > 
> > From the list of changes:
> > 
> > Added support for passwords encrypted with $2a$, $2x$ and $2y$
> > blowfish crypt and $5$ SHA-256 crypt (where supported by the
> > underlying crypt()). Improvements to support rounds= notation in
> > SHA-256, SHA512 crypt.
> 
> 
> Thanks Heikki,
> 
> I'll check it out!
> 
> Cheers,
> 
> Derek
> _______________________________________________
> radiator mailing list
> radiator at open.com.au (mailto:radiator at open.com.au)
> http://www.open.com.au/mailman/listinfo/radiator



More information about the radiator mailing list