Using bcrypt to secure passwords in Perl

[LoonyPandora]

I also blogged about this topic on blogs.perl.org the other week with some code examples that work a little better [1].

Your code appears to work, but is subtly broken in a few ways. Firstly since you don't return the hash in the "standard" format ("$2a", "$", two digits, "$", salt as 22 base 64 digits, '.', and 31 base 64 digits for the pass), one can't tell what work factor was used to create the hash - making it hard to verify a password. Secondly the salt isn't sufficiently random, there are modules out there that provide more randomness for cryptographic applications such as this.

It's nice to see people blogging about this kind of thing for perl, but it's important that the code is correct.

[1] http://blogs.perl.org/users/james_aitken/2011/07/safely-stor...

[geoffc]

Thanks for the feedback. I will make some changes.

[LoonyPandora]

Have a look at Authen::Passphrase::BlowfishCrypt [1]. it handles a lot of my suggestions automatically and is more suited to your general-case than my code is.

[1] http://search.cpan.org/~zefram/Authen-Passphrase-0.007/lib/A...

[geoffc]

I have updated the code to use the standard storage format and switched to a better salt generator.

[tomjen3]

And that is why I don't like bcrypt -- it is far too easily to screw something up in non-obvious ways.

[rimantas]

Yeah, at least by using md5 one can easily screw everything up in an obvious way.

[marshray]

I think you were being sarcastic, but sometimes that is indeed an improvement.

[pyre]

I think that point of the sarcasm was that using MD5 is the obvious screw-up.

[marshray]

Yes, I understand that. I was saying that an obviously screwed-up system is often better than a subtly screwed-up one.

Nevertheless, a well-implemented MD5-based system could still be "less bad" than the buggy home-rolled bcrypt in that link.

[geoffc]

How is the latest iteration on the blog?

[marshray]

What's the link to the exact code in question? I don't see it.

[geoffc]

https://gist.github.com/1071698

[marshray]

Some quick impressions:

* There's no serious set of test cases. Many Bcrypt implementations were bitten recently when it turned out that they didn't properly handle characters with the high bit set.

* It only ever uses a work factor exponent of 8 which is probably too small for most modern use.

* Even if the password hash specifies a different work factor it will still use 8, and then fail.

* It's not going to interoperate with other implementations for these two reasons.

* The timing of regex's excecution probably leaks information about the salt.

* It uses perl's 'eq' for comparing the strings. The time that this function takes to run is probably dependent on the length of the matching prefix of the two strings. So there's possibly a timing attack enabling an unauthenticated remote attacker to read some of the password hash string. He may need to know the salt, but the salt is not considered a strongly-kept secret. Nate Lawson's blog is a great source on this topic http://rdist.root.org/2010/01/

[draegtun]

Also a very similar post Safely Storing Passwords from a few days earlier on blogs.perl.org which includes a Dancer bcrypt plugin: http://blogs.perl.org/users/james_aitken/2011/07/safely-stor...

[jrockway]

No, no, no. Just use Authen::Passphrase.

[geoffc]

Thanks. I updated the blog with a pointer to the module.

[jrockway]

Nice! One thing that's great about blogging is that if you blog your code, a reader is bound to golf it down to one line of code :)

[alfiejohn_]

It's a shame that the first comment was for a typo. Can't people get over these things?

[geoffc]

Yes but the second comment on the blog was great, truly an education in encryption for me.