

Using bcrypt to secure passwords in Perl - geoffc
http://gcrawshaw.posterous.com/using-bcrypt-to-secure-passwords-in-a-perl-ap

======
LoonyPandora
I also blogged about this topic on blogs.perl.org the other week with some
code examples that work a little better [1].

Your code appears to work, but is subtly broken in a few ways. Firstly since
you don't return the hash in the "standard" format ("$2a", "$", two digits,
"$", salt as 22 base 64 digits, '.', and 31 base 64 digits for the pass), one
can't tell what work factor was used to create the hash - making it hard to
verify a password. Secondly the salt isn't sufficiently random, there are
modules out there that provide more randomness for cryptographic applications
such as this.

It's nice to see people blogging about this kind of thing for perl, but it's
important that the code is correct.

[1] [http://blogs.perl.org/users/james_aitken/2011/07/safely-
stor...](http://blogs.perl.org/users/james_aitken/2011/07/safely-storing-
passwords.html)

~~~
geoffc
Thanks for the feedback. I will make some changes.

~~~
LoonyPandora
Have a look at Authen::Passphrase::BlowfishCrypt [1]. it handles a lot of my
suggestions automatically and is more suited to your general-case than my code
is.

[1] [http://search.cpan.org/~zefram/Authen-
Passphrase-0.007/lib/A...](http://search.cpan.org/~zefram/Authen-
Passphrase-0.007/lib/Authen/Passphrase/BlowfishCrypt.pm)

~~~
geoffc
I have updated the code to use the standard storage format and switched to a
better salt generator.

------
draegtun
Also a very similar post _Safely Storing Passwords_ from a few days earlier on
blogs.perl.org which includes a Dancer bcrypt plugin:
[http://blogs.perl.org/users/james_aitken/2011/07/safely-
stor...](http://blogs.perl.org/users/james_aitken/2011/07/safely-storing-
passwords.html)

------
jrockway
No, no, no. Just use Authen::Passphrase.

~~~
geoffc
Thanks. I updated the blog with a pointer to the module.

~~~
jrockway
Nice! One thing that's great about blogging is that if you blog your code, a
reader is bound to golf it down to one line of code :)

------
alfiejohn_
It's a shame that the first comment was for a typo. Can't people get over
these things?

~~~
geoffc
Yes but the second comment on the blog was great, truly an education in
encryption for me.

