[Chicago-talk] dancer2 authentication
Daniel Rench
drench at gmail.com
Tue Aug 11 20:35:50 PDT 2015
I agree with Chris: this looks like a good plugin if you use the
default bcrypt mode.
I'd suggest letting the module generate the salts for you though, and
I'd go with a single database column since the salt is embedded in the
bcrypt string itself[1].
Any thoughts on the default cost/work factor of 4? It seems low. Just
as a comparison, Devise (a common Rails authentication library)
defaults to 10.
[1] There's a decent explanation of the format in answer #2 here:
http://wenda.baba.io/questions/94842/can-someone-explain-how-bcrypt-verifies-a-hash.html
Dan
On Tue, Aug 11, 2015 at 6:30 PM, Chris Hamilton <cjhamil at gmail.com> wrote:
> I don't use Dancer, but I believe what you're looking for is
> Dancer2::Plugin::Passphrase.
>
> https://metacpan.org/pod/Dancer2::Plugin::Passphrase
>
> The important things to do (especially if you opt not to use a plugin) is to
> ensure you are using distinct per-user salts and using a strong hashing
> algorithm (e.g. bcrypt). You'll store the salt and the bcrypt result in two
> columns in your DB. To validate an authentication request from a user you
> will take their input, concatenate it with the same salt, bcrypt the result,
> and then compare the output to what you have stored. If they match, the
> password was correctly entered.
>
> -Chris
>
> On Tue, Aug 11, 2015 at 5:21 PM, <richard at rushlogistics.com> wrote:
>>
>> I am using dancer2 and was wondering if someone could point me in the
>> direction of code that encrypts a password provided by a user and so that it
>> can be stored in a MySQL database and code that would would allow me to
>> match a provided password with the stored one when the user wants to log
>> back in. Would in be better to use some sort of dancer plugin or just write
>> my own code that uses Blowfish and Crypt:CBC? I am hoping that there must be
>> some strong existing code out there. Please let me know if you know of any
>> or if you have any ideas.
>>
>> Thanks
>> _______________________________________________
>> Chicago-talk mailing list
>> Chicago-talk at pm.org
>> http://mail.pm.org/mailman/listinfo/chicago-talk
>
>
>
> _______________________________________________
> Chicago-talk mailing list
> Chicago-talk at pm.org
> http://mail.pm.org/mailman/listinfo/chicago-talk
More information about the Chicago-talk
mailing list